Ivanti Endpoint Manager Mobile (EPMM) devices are currently under attack by cybercriminals who are embedding dormant backdoors within these systems. These backdoors can remain inactive for extended periods, posing a significant security threat.
Exploitation of Critical Ivanti Vulnerabilities
Recently, Ivanti disclosed two critical vulnerabilities affecting EPMM—CVE-2026-1281 and CVE-2026-1340. These vulnerabilities involve authentication bypass and remote code execution, impacting different software packages. Despite the distinct packages, the end result is the same: attackers gain unauthenticated access to application-level endpoints.
Ivanti has issued security advisories with mitigation and patching instructions. Nonetheless, cybercriminals began exploiting these vulnerabilities shortly after their disclosure, showcasing the urgency of implementing these security measures.
Mechanism of the Dormant Backdoors
Security firm Defusedcyber observed that successful intrusions often resulted in artifacts being placed at the path /mifs/403.jsp. While the file path is familiar in Ivanti/MobileIron attacks, the payload differs. Instead of using an interactive webshell, attackers transmitted a Base64-encoded Java class file.
This Java class file acts as a dormant in-memory class loader, awaiting activation. This approach allows attackers to establish a presence without immediately executing commands, complicating detection efforts.
Operational Details and Recommendations
The implanted Java class, compiled from Info.java, does not provide typical webshell capabilities like file browsing or command execution. Instead, it waits for an activation request to run additional Java classes directly in memory. This approach minimizes detection by avoiding standard servlet methods.
Defenders should consider any indication of this activity as a potential compromise. Ivanti’s guidance recommends immediate patching of EPMM systems and restarting application servers to clear any in-memory implants. Monitoring logs for specific requests and patterns is crucial for early detection.
Despite the observed deployments, follow-on actions such as the delivery of second-stage classes remain unseen. This suggests a strategy where attackers secure access for future exploitation by different actors.
Conclusion and Future Considerations
The emergence of this threat underscores the importance of timely patching and vigilant monitoring. Organizations relying on Ivanti EPMM must act swiftly to safeguard their systems against these sophisticated attacks. As cyber threats evolve, continuous adaptation of security measures and awareness is vital to protect against future incursions.
For the latest cybersecurity updates, follow us on Google News, LinkedIn, and X. Contact us to share your stories.
