CRITICAL: Active Exploitation of Dual Ivanti EPMM Zero-Days

by CyberNewsAI Admin
CRITICAL: Active Exploitation of Dual Ivanti EPMM Zero-Days

Executive Summary

A critical threat advisory has been issued regarding two unauthenticated Remote Code Execution (RCE) vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Both vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, have a CVSS score of 9.8. These flaws are currently undergoing active exploitation in the wild, leading CISA to add CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog. Immediate remediation is mandatory for all affected entities.

Technical Analysis

The vulnerabilities stem from code injection flaws within specific components of the EPMM architecture. Specifically, the In-House Application Distribution and Android File Transfer Configuration features are the primary vectors for exploitation.

  • CVE-2026-1281 (9.8 CVSS): Allows an unauthenticated attacker to achieve RCE via a crafted request to the vulnerable endpoints.
  • CVE-2026-1340 (9.8 CVSS): A secondary injection vector providing an identical impact of full system takeover.

Threat Actor Tactics: Observed activity indicates that attackers are utilizing these flaws to establish persistence via web shells and reverse shells. Once initial access is achieved, the Threat Actors are positioned to pivot laterally into the internal network or extract sensitive metadata regarding managed mobile devices.

Affected Versions

The following versions are confirmed vulnerable:

  • EPMM 12.5.0.0, 12.6.0.0, 12.7.0.0 and prior.
  • EPMM 12.5.1.0, 12.6.1.0 and prior.

Impact

Successful exploitation grants the attacker root-level privileges on the EPMM appliance. This allows for:

Data Exfiltration: Access to device inventories, user credentials, and configuration profiles.

Lateral Movement: The EPMM server often sits in a privileged network position, serving as a gateway to the broader enterprise environment.

Persistence: Installation of backdoors that survive standard reboots.

Mitigation and Remediation

1. Patching

Ivanti has released RPM patches for versions 12.x. These must be applied immediately.

  • CRITICAL NOTE: These RPM patches do not survive a version upgrade. If the appliance is upgraded, the patch must be reapplied until Version 12.8.0.0 (scheduled for Q1 2026) is deployed.

2. Detection and Hunting

SOC analysts should inspect the Apache access logs located at /var/log/httpd/https-access_log. Use the following Regex to identify exploitation attempts (look for 404 status codes associated with these paths):

[@portabletext/react] Unknown block type "image", specify a component for it in the `components.types` prop

3. Compromise Assessment

If signs of exploitation are found:

  • Restore from a known-good backup or rebuild the appliance.
  • Rotate all credentials, including local EPMM accounts, LDAP/KDC service accounts, and public certificates.
  • Check for unauthorized configuration changes in SSO settings, LDAP configurations, and newly pushed applications.
Threat IntelligenceVulnerability Watch