Ivanti on Thursday introduced emergency patches for 2 critical-severity vulnerabilities in Endpoint Supervisor Cell (EPMM) which were exploited within the wild as zero-days.
Tracked as CVE-2026-1281 and CVE-2026-1340 (CVSS rating of 9.8), the bugs are described as code injection points that may very well be exploited by unauthenticated attackers to realize distant code execution (RCE).
The failings impression the in-house software distribution and the Android file switch configuration options of EPMM.
Profitable exploitation of the zero-days might enable attackers to execute arbitrary code, transfer laterally to the linked setting, and entry delicate info saved within the EPMM.
Such info might embrace administrator info (title, e mail, and username), consumer info (title, e mail, and username, consumer principal title for AD), and cellular machine particulars (telephone quantity, location, identifier, IMEI, IP tackle, UUID, software particulars, and different identification information).
“We’re conscious of a really restricted variety of clients whose answer has been exploited on the time of disclosure,” Ivanti notes in its advisory.Commercial. Scroll to proceed studying.
In accordance with the corporate, all EPMM variations as much as 12.5.0.0, 12.6.0.0, 12.7.0.0, 12.5.1.0, and 12.6.1.0 are affected.
Ivanti launched RPM patches 12.x.0.x and 12.x.1.x that tackle the safety defects. The fixes are version-specific, and clients want to use solely the RPM relevant to their EPMM iteration.
The corporate notes that the RPM scripts should be reapplied within the occasion EPMM is up to date to a more moderen model.
“We strongly encourage all EPMM clients to undertake model 12.8.0.0 as soon as it has been launched later in Q1 2026. Upon getting upgraded to 12.8.0.0, you’ll not have to reapply the RPM script,” Ivanti notes.
Scarce info on exploitation
No different Ivanti merchandise are affected by the exploited zero-day vulnerabilities, and the corporate has printed generic info on detecting exploitation makes an attempt.
“As a result of small variety of known-impacted clients, Ivanti doesn’t have sufficient details about the menace actor techniques to supply confirmed, dependable atomic indicators,” the corporate notes.
Based mostly on the exploitation of earlier EPMM bugs, Ivanti says, two frequent strategies of persistence have surfaced: the deployment of internet shell capabilities focusing on HTTP error pages, and the deployment of reverse shells.
Exploitation makes an attempt utilizing these strategies will be recognized both via surprising WAR or JAR information on the system, or via firewall log entries for outbound community connections initiated by the equipment.
“Based mostly on Ivanti’s evaluation of menace actor toolkits focusing on older vulnerabilities on the Ivanti equipment, analysts ought to assume that the menace actor strategies will possible embrace the clearing of logs or elimination of particular log entries,” the corporate notes.
Ivanti warns that, along with compromising the setting and accessing the delicate info accessible on EPMM’s MIFS portal, attackers might make adjustments to the EPMM configuration so as to add new admin accounts, modify authentication insurance policies, push new apps to units, and modify community configurations.
“Please be aware that that is common steering and Ivanti has not noticed or acquired any indication that such adjustments have been made to a buyer’s EPMM equipment maliciously,” Ivanti notes.
Within the occasion organizations establish profitable compromise of EPMM cases, Ivanti recommends both restoring the equipment from a recognized good backup or constructing a contemporary iteration and migrating all information.
“Ivanti does NOT suggest making an attempt to scrub the system after it has been compromised,” the corporate notes.
Ivanti additionally notes that organizations ought to restore their techniques whereas preserving them disconnected from the web, and that mitigations and patches must be utilized earlier than returning the system to service.
The remediation and restoration actions also needs to embrace resetting the passwords for native EPMM accounts, for LDAP and/or KDC service accounts, and for another inside or exterior service accounts, and revoking and changing the general public certificates EPMM makes use of.
CISA KEV
On Thursday, the US cybersecurity company CISA added CVE-2026-1281 to its Recognized Exploited Vulnerabilities (KEV) catalog, urging federal companies to patch it by February 1.
As mandated by Binding Operational Directive (BOD) 22-01, federal companies sometimes have three weeks to use fixes and mitigations for vulnerabilities newly added to the KEV listing.
The quick timeframe offered for CVE-2026-1281 signifies the severity of the flaw. Ought to a federal company be unable to fulfill the deadline, it’s required to take the required steps to adjust to the directive as quickly as attainable.
“Though BOD 22-01 solely applies to FCEB companies, CISA strongly urges all organizations to cut back their publicity to cyberattacks by prioritizing well timed remediation of KEV Catalog vulnerabilities as a part of their vulnerability administration apply,” CISA notes.
Associated: Ivanti EPM Replace Patches Important Distant Code Execution Flaw
Associated: APTs, Cybercriminals Extensively Exploiting WinRAR Vulnerability
Associated: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
Associated: 2024 VMware Flaw Now in Attackers’ Crosshairs
