Two newly discovered zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have become a significant concern for enterprise networks worldwide. These vulnerabilities are actively being exploited, putting corporate infrastructures at risk across multiple nations.
Uncovering the Ivanti EPMM Vulnerabilities
The vulnerabilities, labeled CVE-2026-1281 and CVE-2026-1340, allow attackers to execute arbitrary code remotely on targeted servers without needing user credentials or interactions. This has already impacted organizations in several countries, including the United States, Germany, Australia, and Canada, affecting critical sectors such as government, healthcare, manufacturing, and technology.
These security gaps enable threat actors to take full control of mobile device management systems, facilitating activities like installing web shells, conducting reconnaissance, and downloading malware.
Global Impact and Exploitation
Since the vulnerabilities were revealed in January 2026, Unit 42 has reported a surge in automated exploitation attempts. The U.S. Cybersecurity and Infrastructure Security Agency has quickly added CVE-2026-1281 to its catalog of known exploited vulnerabilities, highlighting the urgency of the threat.
Palo Alto Networks researchers have identified over 4,400 EPMM instances exposed on the internet. Attackers have been accelerating their tactics, shifting from initial reconnaissance to deploying backdoors that ensure long-term access, even after security patches are applied.
Technical Details and Mitigation Measures
The vulnerabilities originate from unsafe bash script usage in legacy components managing URL rewriting in the Apache server configuration. CVE-2026-1281 affects scripts for the In-House Application Distribution, while CVE-2026-1340 impacts the Android File Transfer feature.
Attackers have used various malware and tools to exploit these vulnerabilities, including lightweight JSP web shells and the Nezha monitoring agent. Ivanti has released patches that require no downtime and are quick to apply. Organizations are urged to patch immediately and check for any signs of past exploitation.
Ivanti has also provided an Exploitation Detection script, developed with NCSC-NL, to help identify potential breaches. Experts recommend adopting an assumed breach mentality, treating any detection of indicators as a sign of deeper compromise.
For further updates, follow us on Google News, LinkedIn, and X, and make CSN your preferred source on Google.
