Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog.
The critical-severity vulnerabilities are listed below –
CVE-2026-1281 (CVSS score: 9.8) – A code injection allowing attackers to achieve unauthenticated remote code execution
CVE-2026-1340 (CVSS score: 9.8) – A code injection allowing attackers to achieve unauthenticated remote code execution
They affect the following versions –
EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x)
EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x)
However, it bears noting that the RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities will be permanently addressed in EPMM version 12.8.0.0, which will be released later in Q1 2026.
“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide proven, reliable atomic indicators.”
The company noted that CVE-2026-1281 and CVE-2026-1340 affect the In-House Application Distribution and the Android File Transfer Configuration features. These shortcomings do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry.
In a technical analysis, Ivanti said it has typically seen two forms of persistence based on prior attacks targeting older vulnerabilities in EPMM. This includes deploying web shells and reverse shells for setting up persistence on the compromised appliances.
“Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance,” Ivanti noted. “Aside from lateral movement to the connected environment, EPMM also contains sensitive information about devices managed by the appliance.”
Users are advised to check the Apache access log at “/var/log/httpd/https-access_log” to look for signs of attempted or successful exploitation using the below regular expression (regex) pattern –
“Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes,” it explained.
In addition, customers are being asked to review the following to look for any evidence of unauthorized configuration changes –
EPMM administrators for new or recently changed administrators
Authentication configuration, including SSO and LDAP settings
New push applications for mobile devices
Configuration changes to applications you push to devices, including in-house applications
New or recently modified policies
Network configuration changes, including any network configuration or VPN configuration you push to mobile devices
In the event signs of compromise are detected, Ivanti is also urging users to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. Once the steps are performed, it’s essential to make the following changes to secure the environment –
Reset the password of any local EPMM accounts
Reset the password for the LDAP and/or KDC service accounts that perform lookups
Revoke and replace the public certificate used for your EPMM
Reset the password for any other internal or external service accounts configured with the EPMM solution
The development has prompted CISA to add CVE-2026-1281 to the KEV catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the updates by February 1, 2026.
📰 Original Source:TheHackerNews ✍️ Author: info@thehackernews.com (The Hacker News)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Leave a Reply