Ivanti has released urgent security updates to fix two critical vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM), both of which have been actively exploited as zero day attacks. One of the flaws has also been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog, highlighting the severity of the threat.
The vulnerabilities allow unauthenticated remote code execution and pose a serious risk to organizations running affected EPMM versions.
Details of the Exploited Vulnerabilities
The two security flaws are classified as critical severity and are listed below:
- CVE-2026-1281, CVSS score 9.8, code injection leading to unauthenticated remote code execution
- CVE-2026-1340, CVSS score 9.8, code injection leading to unauthenticated remote code execution
The issues impact the following EPMM versions:
- EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, 12.7.0.0 and earlier, fixed via RPM 12.x.0.x
- EPMM 12.5.1.0 and earlier, 12.6.1.0 and earlier, fixed via RPM 12.x.1.x
Ivanti clarified that RPM based patches do not persist through version upgrades and must be reapplied after upgrading the appliance. A permanent fix will be included in EPMM version 12.8.0.0, scheduled for release later in Q1 2026.
Limited Exploitation Observed, Investigation Ongoing
Ivanti stated that only a very small number of customer environments were confirmed to be exploited at the time of disclosure. However, the company noted that there is insufficient visibility into attacker behavior to provide reliable atomic indicators of compromise.
Both CVE-2026-1281 and CVE-2026-1340 affect the In House Application Distribution and Android File Transfer Configuration features. Ivanti confirmed that other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager, and Ivanti Sentry, are not impacted.
Persistence Techniques and Post Exploitation Risks
Based on historical attacks targeting earlier EPMM vulnerabilities, Ivanti observed two common persistence methods, deployment of web shells and reverse shells on compromised appliances.
Successful exploitation enables arbitrary code execution on the EPMM appliance. In addition to lateral movement opportunities, the platform stores sensitive information about managed mobile devices, increasing the potential impact of a breach.
How to Detect Possible Exploitation
Ivanti recommends reviewing the Apache access log located at:
/var/log/httpd/https-access_logAdministrators should search for suspicious activity using the following regex pattern:
^(?!127\.0\.0\.1:\d+.*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
According to Ivanti, legitimate use of these endpoints generates HTTP 200 responses, while exploitation attempts typically result in HTTP 404 responses.
Additional Indicators of Compromise to Review
Organizations are advised to examine their environments for unauthorized changes, including:
- Newly created or modified EPMM administrator accounts
- Authentication configuration changes, including SSO and LDAP
- Newly added push applications
- Unauthorized changes to in house applications
- Recently altered policies
- Network or VPN configuration changes pushed to devices
If compromise is suspected, Ivanti strongly recommends restoring from a known good backup or rebuilding the EPMM appliance entirely, followed by data migration.
After remediation, the following security steps are critical:
- Reset all local EPMM account passwords
- Reset LDAP or KDC service account credentials
- Revoke and reissue the EPMM public certificate
- Reset credentials for any connected internal or external service accounts
CISA Adds CVE to KEV Catalog
The severity of the issue prompted CISA to add CVE-2026-1281 to its KEV catalog. Federal Civilian Executive Branch agencies are required to apply the security updates no later than February 1, 2026.
Patch Analysis Reveals Exploitation Vector
In an update published January 30, 2026, researchers from watchTowr Labs reported that they reverse engineered Ivanti’s RPM patches. Their analysis found that the updates modify the Apache HTTPd configuration by replacing two Bash scripts with newly introduced Java classes.
The original scripts were:
/mi/bin/map-appstore-url/mi/bin/map-aft-store-url
This change indicates that exploitation occurs through HTTP requests. According to watchTowr Labs, a specially crafted HTTP GET request could be used to trigger the vulnerability, such as:
GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,
h=gPath%5B%60sleep%205%60%5D/e2327851-1e09-4463-9b5a-b524bc71fc07.ipaThe vulnerability arises because the Bash script allowed fetching mobile applications based on multiple user controlled parameters, including salt index, timestamps, hash values, and file identifiers.
As a result, malicious input could be executed when Apache passed crafted values to the script.
Organizations Must Assume Exposure Means Compromise
watchTowr CEO Benjamin Harris warned that patching alone may not be sufficient. Since attackers exploited these vulnerabilities as zero days, organizations that had exposed EPMM instances to the internet at the time of disclosure should assume compromise, dismantle affected infrastructure, and initiate full incident response procedures.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
