Ivanti has released emergency security updates to fix two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that are being actively exploited in the wild. One of the flaws has been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to take immediate action.
Critical Zero-Day RCE Vulnerabilities
The two vulnerabilities enable unauthenticated remote code execution (RCE) and carry near-maximum severity ratings:
- CVE-2026-1281 (CVSS 9.8): Code injection leading to unauthenticated RCE
- CVE-2026-1340 (CVSS 9.8): Code injection leading to unauthenticated RCE
Ivanti confirmed that exploitation has already occurred against a limited number of customers at the time of disclosure, although detailed indicators of compromise were not available due to insufficient visibility into attacker tactics.
Affected Versions and Fixes
The flaws impact multiple supported versions of Ivanti EPMM:
- EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, 12.7.0.0 and earlier
Fixed via RPM patches for 12.x.0.x
- EPMM 12.5.1.0 and earlier, 12.6.1.0 and earlier
Fixed via RPM patches for 12.x.1.x
Ivanti cautioned that RPM-based fixes do not persist across version upgrades and must be reapplied after updating the appliance. A permanent fix will be included in EPMM version 12.8.0.0, expected later in the first quarter of 2026.
The company emphasized that the vulnerabilities are confined to In-House Application Distribution and Android File Transfer Configuration features and do not affect other Ivanti products such as Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry.
Exploitation Risks and Persistence Techniques
Successful exploitation allows attackers to execute arbitrary code on the EPMM appliance, potentially enabling persistent access, lateral movement, and exposure of sensitive data related to managed mobile devices.
Based on prior attacks against EPMM, Ivanti noted that threat actors commonly establish persistence using web shells or reverse shells, making post-exploitation detection and remediation critical.
How to Detect Potential Exploitation
Ivanti recommends reviewing Apache access logs at:
/var/log/httpd/https-access_log
Administrators should look for suspicious requests returning 404 HTTP response codes, particularly involving the following path pattern:
/mifs/c/(aft|app)store/fob/
Legitimate activity typically generates 200 responses, while exploitation attempts often result in 404 errors.
Incident Response and Hardening Guidance
Organizations are advised to audit their EPMM environments for unauthorized changes, including:
- Newly created or modified administrator accounts
- Altered authentication settings (SSO, LDAP)
- Unexpected push applications or policy changes
- Network, VPN, or mobile configuration modifications
If compromise is suspected, Ivanti strongly recommends restoring from a known-good backup or rebuilding the EPMM appliance and migrating data. Following remediation, administrators should rotate all relevant credentials, revoke and replace certificates, and reset service account passwords.
CISA Mandate for Federal Agencies
CISA has added CVE-2026-1281 to its KEV catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by February 1, 2026.
Urgent Call to Action
With EPMM appliances often exposed to the internet and tightly integrated with enterprise environments, these vulnerabilities present a high-impact risk. Security teams are urged to apply patches immediately, validate that fixes remain in place after upgrades, and conduct thorough compromise assessments.
