Full Report
Limited attacks occurred prior to Ivanti’s disclosure, followed by mass exploitation by multiple threat groups. More than 1,400 potentially vulnerable instances remain exposed. The post Ivanti’s EPMM is under active attack, thanks to two critical zero-days appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Zero-Days in Ivanti EPMM Leading to Remote Code Execution
## CVE Details
- CVE ID: CVE-2026-1281, CVE-2026-1340
- CVSS Score: 9.8 (Critical)
- CWE: Not specified in the provided text, but likely related to code injection/improper input validation.
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions: All on-premises EPMM customers running versions prior to the applicable patches.
- Configurations: On-premises deployments.
## Vulnerability Description
Two critical zero-day vulnerabilities exist within Ivanti EPMM that allow unauthenticated users to achieve remote code execution (RCE). The technical mechanism suggests a blurring between attacker input and trusted code, enabling the execution of malicious payloads, similar to prior EPMM vulnerabilities.
## Exploitation
- Status: Exploited in the wild (Limited initial attacks followed by mass exploitation by multiple threat groups). Both CVEs have been exploited.
- Complexity: Low (Implied, due to rapid mass exploitation by opportunistic actors).
- Attack Vector: Network (Unauthenticated remote access).
## Impact
- Confidentiality: High (Implied by RCE capability on a network edge device)
- Integrity: High (Implied by RCE capability on a network edge device)
- Availability: High (Implied by RCE capability on a network edge device)
## Remediation
### Patches
- **Immediate Patch/Script:** Ivanti advised on-premises customers to apply a script that fixes the issue quickly and does not require downtime. Note: This script is temporary and will be overwritten upon a software version upgrade.
- **Permanent Fix:** Ivanti plans to release a permanent fix in a future software update targeted for release by **April [Year not specified, assume 2026 based on CVE year]**.
### Workarounds
- Organizations exposing vulnerable instances to the internet are advised to **consider them compromised, tear down infrastructure, and instigate incident response processes.** (This is a strong operational suggestion rather than a technical workaround).
## Detection
- **Indicators of Compromise (IoCs):** Details on specific IoCs are not provided, but organizations should look for signs of unauthorized remote code execution or unusual administrative activity on EPMM servers.
- **Detection Methods and Tools:** CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) Catalog. Monitoring for exploitation attempts related to these CVEs is critical. Researchers warn that over 1,400 instances remain exposed to the internet.
## References
- [Ivanti Security Advisory (Forums)](https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US)
- [CISA Known Exploited Vulnerabilities Catalog (Vendor Filter)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?f%5B0%5D=vendor_project%3A817&page=0)
- [CyberScoop Article](https://cyberscoop.com/ivanti-endpoint-manager-mobile-zero-day-vulnerabilities-exploit/)