Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited

Summary
Palo Alto Networks Unit 42 researchers have identified active exploitation of two critical zero-day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).

The vulnerabilities:
• CVE-2026-1281
• CVE-2026-1340

Both allow unauthenticated remote code execution (RCE) against internet-exposed EPMM servers without requiring credentials or user interaction.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog due to confirmed in-the-wild attacks.

Research Source (Palo Alto Networks)
According to Palo Alto Networks Unit 42, telemetry from the Cortex Xpanse platform identified more than 4,400 EPMM servers exposed to the public internet.

Researchers observed automated exploitation attempts beginning shortly after public disclosure in January 2026. Attackers rapidly moved from reconnaissance to persistence, often implanting dormant backdoors designed to survive patching.

Technical Details
The vulnerabilities originate from unsafe bash script usage within legacy Apache URL-rewriting components.

Affected features:

• In-House Application Distribution (CVE-2026-1281)
• Android File Transfer mechanism (CVE-2026-1340)

Attackers send crafted HTTP requests to execute system commands on the appliance.

Observed Attack Activity

Unit 42 observed the following post-exploitation behavior:

Web Shell Deployment
• 401.jsp
• 403.jsp
• 1.jsp

Command Execution & Reconnaissance
• sleep commands used to test vulnerability
• system enumeration
• credential discovery

Persistence & Payloads
• reverse shells
• dormant backdoors
• cryptominers
• second-stage malware

Additional Tooling
Threat actors attempted to download the Nezha monitoring agent from external repositories to maintain control over compromised servers.

Impact

EPMM manages enterprise mobile devices.

Compromise may allow attackers to:

• Access corporate data
• Deploy malicious applications to employee devices
• Steal authentication tokens and credentials
• Pivot into internal networks
• Maintain long-term persistence

Because the platform is a Mobile Device Management (MDM) system, this vulnerability effectively provides an enterprise network entry point.
Mitigation

Ivanti released version-specific patches (RPM 12.x.0.x and 12.x.1.x) that can be applied immediately without downtime.

Recommended response actions:
1. Patch immediately
2. Run Ivanti exploitation detection script (NCSC-NL)
3. Check for web shells
4. Rotate all credentials
5. Review MDM device policies
6. Investigate logs for at least 30 days prior

Organizations should follow an assume-breach mindset if the system was internet-exposed.
This vulnerability should be treated as Priority 1 – Critical Incident.
Even after patching, organizations must perform compromise assessment and threat hunting because attackers may have established persistence prior to remediation.

References:
• Palo Alto Networks Unit 42 Research
• https://cybersecuritynews.com/critical-ivanti-epmm-zero-day-vulnerabilities/

• This topic was modified 4 weeks ago by Rameses Quiambao.
• This topic was modified 4 weeks ago by Rameses Quiambao.
• This topic was modified 4 weeks ago by Rameses Quiambao.