Full Report
Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog. The critical-severity vulnerabilities are listed below - CVE-2026-1281 (CVSS score:
Analysis Summary
# Vulnerability: Critical Code Injection in Ivanti EPMM Exploited in Zero-Days
## CVE Details
- CVE ID: CVE-2026-1281 and CVE-2026-1340
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly stated, but described as code injection.
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions:
- EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x)
- EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x)
- Configurations: Vulnerabilities affect the In-House Application Distribution and the Android File Transfer Configuration features. Does *not* affect Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry.
## Vulnerability Description
Both vulnerabilities are critical-severity code injection flaws that allow an unauthenticated remote attacker to achieve Remote Code Execution (RCE) on the underlying EPMM appliance. Successful exploitation grants arbitrary code execution, potential lateral movement into the connected environment, and access to sensitive device management information stored on the appliance.
## Exploitation
- Status: Exploited in the wild (Zero-day; CVE-2026-1281 added to CISA KEV catalog).
- Complexity: Not explicitly rated, but exploitation leads to RCE, suggesting high impact potential.
- Attack Vector: Network (Remote/Unauthenticated).
## Impact
- Confidentiality: High (Access to sensitive device management information).
- Integrity: High (Arbitrary code execution on the appliance).
- Availability: High (Service disruption due to compromise).
## Remediation
### Patches
- **Interim Patch/RPMs:** Updates are available via specific RPM patches for versions:
- RPM 12.x.0.x (for 12.5.0.0, 12.6.0.0, 12.7.0.0 and prior)
- RPM 12.x.1.x (for 12.5.1.0, 12.6.1.0 and prior)
*Note: The RPM patch does not survive a subsequent version upgrade and must be reapplied.*
- **Permanent Fix:** EPMM version 12.8.0.0 (Scheduled for release later in Q1 2026) will permanently address these issues.
### Workarounds
If compromise is detected, users are urged to:
1. Restore the EPMM device from a known good backup OR build a replacement EPMM and migrate data.
2. Perform post-restoration hardening steps (see Detection/Mitigation section).
## Detection
### Indicators of Compromise (IoCs)
Review the Apache access log at **/var/log/httpd/https-access_log** for the following regex pattern, which indicates activity against the affected features:
`^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404`
*Legitimate usage generally results in `200` HTTP response codes; successful or attempted exploitation often results in `404` HTTP response codes.*
Ivanti also advises reviewing for evidence of unauthorized configuration changes, including:
- New or recently changed EPMM administrators.
- Changes to Authentication configuration (SSO, LDAP settings).
- New push applications or modifications to existing configurations (especially in-house apps).
- New or modified policies.
- Network or VPN configuration changes pushed to mobile devices.
### Mitigation Strategies (Post-Compromise)
If compromise is detected, after restoring the system, immediately:
1. Reset passwords for all local EPMM accounts.
2. Reset passwords for LDAP and/or KDC service accounts used for lookups.
3. Revoke and replace the public certificate used by the EPMM.
4. Reset passwords for any other internal or external service accounts configured with EPMM.
## References
- Vendor Advisory: forums[dot]ivanti[dot]com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
- Technical Analysis: forums[dot]ivanti[dot]com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
- CISA KEV Listing: www[dot]cisa[dot]gov/news-events/alerts/2026/01/29/cisa-adds-one-known-exploited-vulnerability-catalog