Imagine your organization's mobile device management system being silently hijacked by hackers, giving them the keys to your kingdom. That's the chilling reality for some Ivanti Endpoint Manager Mobile (EPMM) users right now. Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are being actively exploited, allowing attackers to execute code remotely without needing credentials. But here's where it gets even more alarming: one of these flaws has been deemed so severe that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to their Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it immediately.
These vulnerabilities, both scoring a near-perfect 9.8 on the CVSS severity scale, enable attackers to inject malicious code into Ivanti EPMM systems. And this is the part most people miss: the flaws specifically target the In-House Application Distribution and Android File Transfer Configuration features, though Ivanti assures that other products like Ivanti Neurons for MDM, Endpoint Manager (EPM), and Sentry are unaffected. The affected versions include EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, 12.7.0.0 and earlier (fixed in RPM 12.x.0.x), as well as EPMM 12.5.1.0 and earlier, 12.6.1.0 and earlier (fixed in RPM 12.x.1.x).
But here's the catch: the RPM patch is temporary and won’t survive a version upgrade, meaning it must be reapplied if you update your appliance. A permanent fix is expected in EPMM version 12.8.0.0, slated for release later in Q1 2026. Ivanti acknowledges that a small number of customers have already fallen victim to these exploits, though they lack detailed information on the attackers' tactics to provide specific indicators of compromise.
In their technical analysis, Ivanti highlights that attackers often deploy web shells and reverse shells to maintain persistence on compromised systems. This raises a controversial question: Are organizations doing enough to monitor for these types of persistent threats? After all, a successful exploit not only allows arbitrary code execution but also exposes sensitive data about managed devices. To detect potential breaches, Ivanti recommends checking the Apache access log at /var/log/httpd/https-access_log for suspicious patterns using the regex: ^(?!127\.0\.0\.1:\d+.*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404. Legitimate activity will show 200 HTTP response codes, while exploitation attempts will trigger 404s.
Customers are also urged to scrutinize their systems for unauthorized changes, including new administrators, altered authentication settings, unexpected push applications, modified policies, and network configuration tweaks. If signs of compromise are detected, Ivanti advises restoring the EPMM device from a clean backup or building a new one and migrating data. Afterward, it’s crucial to reset passwords for local accounts, LDAP/KDC service accounts, revoke and replace public certificates, and secure any other service accounts tied to the EPMM solution.
CISA’s addition of CVE-2026-1281 to the KEV catalog underscores the urgency, requiring Federal Civilian Executive Branch (FCEB) agencies to patch by February 1, 2026. But what about non-federal organizations? Are they moving fast enough to protect themselves? Let us know your thoughts in the comments—is your organization prepared to handle such critical vulnerabilities, or is there room for improvement?
Found this eye-opening? Stay ahead of the curve by following us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity insights.
