Ravie LakshmananJan 30, 2026Vulnerability / Enterprise Safety
Ivanti has rolled out safety updates to handle two safety flaws impacting Ivanti Endpoint Supervisor Cell (EPMM) which have been exploited in zero-day assaults, considered one of which has been added by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Identified Exploited Vulnerabilities (KEV) catalog.
The critical-severity vulnerabilities are listed under –
CVE-2026-1281 (CVSS rating: 9.8) – A code injection permitting attackers to realize unauthenticated distant code execution
CVE-2026-1340 (CVSS rating: 9.8) – A code injection permitting attackers to realize unauthenticated distant code execution
They have an effect on the next variations –
EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Mounted in RPM 12.x.0.x)
EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Mounted in RPM 12.x.1.x)
Nevertheless, it bears noting that the RPM patch doesn’t survive a model improve and should be reapplied if the equipment is upgraded to a brand new model. The vulnerabilities can be completely addressed in EPMM model 12.8.0.0, which can be launched later in Q1 2026.
“We’re conscious of a really restricted variety of prospects whose resolution has been exploited on the time of disclosure,” Ivanti mentioned in an advisory, including it doesn’t have sufficient details about the risk actor techniques to supply confirmed, dependable atomic indicators.”
The corporate famous that CVE-2026-1281 and CVE-2026-1340 have an effect on the In-Home Software Distribution and the Android File Switch Configuration options. These shortcomings don’t have an effect on different merchandise, together with Ivanti Neurons for MDM, Ivanti Endpoint Supervisor (EPM), or Ivanti Sentry.
In a technical evaluation, Ivanti mentioned it has sometimes seen two types of persistence based mostly on prior assaults concentrating on older vulnerabilities in EPMM. This consists of deploying net shells and reverse shells for organising persistence on the compromised home equipment.
“Profitable exploitation of the EPMM equipment will allow arbitrary code execution on the equipment,” Ivanti famous. “Other than lateral motion to the linked atmosphere, EPMM additionally accommodates delicate details about gadgets managed by the equipment.”
Customers are suggested to examine the Apache entry log at “/var/log/httpd/https-access_log” to search for indicators of tried or profitable exploitation utilizing the under common expression (regex) sample –
^(?!127.0.0.1:d+
.*$).*?/mifs/c/(aft|app)retailer/fob/.*?404
“Professional use of those capabilities will end in 200 HTTP response codes within the Apache Entry Log, whereas profitable or tried exploitation will trigger 404 HTTP response codes,” it defined.
As well as, prospects are being requested to overview the next to search for any proof of unauthorized configuration modifications –
EPMM directors for brand new or not too long ago modified directors
Authentication configuration, together with SSO and LDAP settings
New push functions for cellular gadgets
Configuration modifications to functions you push to gadgets, together with in-house functions
New or not too long ago modified insurance policies
Community configuration modifications, together with any community configuration or VPN configuration you push to cellular gadgets
Within the occasion indicators of compromise are detected, Ivanti can be urging customers to revive the EPMM machine from a identified good backup or construct a substitute EPMM after which migrate information to the machine. As soon as the steps are carried out, it is important to make the next modifications to safe the atmosphere –
Reset the password of any native EPMM accounts
Reset the password for the LDAP and/or KDC service accounts that carry out lookups
Revoke and change the general public certificates used in your EPMM
Reset the password for some other inner or exterior service accounts configured with the EPMM resolution
The event has prompted CISA so as to add CVE-2026-1281 to the KEV catalog, requiring Federal Civilian Government Department (FCEB) businesses to use the updates by February 1, 2026.
