Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have been actively exploited in the wild, posing a significant threat to corporate networks globally. These vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to execute arbitrary code remotely on targeted servers without requiring any credentials or user interaction. Organizations in the United States, Germany, Australia, and Canada, spanning sectors like state and local government, healthcare, manufacturing, professional services, and high technology, have already been impacted by these sophisticated attacks.
The exploitation of these Ivanti EPMM zero-day flaws grants threat actors comprehensive control over an organization’s mobile device management infrastructure. Attackers can establish persistent access through reverse shells, install web shells for further compromise, conduct extensive reconnaissance, and download malicious software. Unit 42 researchers have documented widespread automated exploitation attempts since the vulnerabilities were disclosed in January 2026, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to quickly add CVE-2026-1281 to its Known Exploited Vulnerabilities Catalog due to its severity and active threat.
Ivanti EPMM Vulnerabilities and Exploitation Tactics
Palo Alto Networks researchers, utilizing their Cortex Xpanse telemetry system, identified over 4,400 Ivanti EPMM instances exposed to the internet. The analysis revealed that threat actors are rapidly escalating their operations. Following initial reconnaissance, attackers are deploying dormant backdoors designed to maintain long-term access even after organizations have applied security patches. This demonstrates a calculated strategy by cybercriminals to ensure persistent presence within compromised networks, highlighting the evolving landscape of advanced persistent threats.
The root cause of both critical vulnerabilities lies in the unsafe usage of bash scripts within legacy components responsible for URL rewriting in the Apache web server configuration. Specifically, CVE-2026-1281 affects scripts associated with the In-House Application Distribution feature, while CVE-2026-1340 relates to the Android File Transfer mechanism. These underlying flaws create an entry point for attackers to bypass security measures and gain unauthorized access.
Attack Methods and Malicious Activity Uncovered
During exploitation attempts, attackers have been observed deploying a variety of malware and tools to further compromise vulnerable systems. Security researchers noted the installation of lightweight JSP web shells, often named obfuscatedly such as 401.jsp, 403.jsp, and 1.jsp, within the server’s web application directory. If the web server is running with elevated privileges, these web shells can grant attackers administrative control over the compromised system.
Command and control structures used during these attacks have been documented. Formats of commands targeting vulnerable Ivanti EPMM servers were observed, indicating specific instructions being sent to exploit the identified weaknesses. Additionally, URL patterns from exploitation attempts have been analyzed, providing insights into how attackers are navigating and targeting these systems.
Beyond web shells, threat actors have also attempted to download the Nezha monitoring agent, an open-source server utility. In some instances, specific parameters were used to target victims in China, with the agent being fetched from Gitee repositories. Campaigns have also involved the download of second-stage payloads, which can include cryptominers for illicit cryptocurrency mining operations or persistent backdoors designed for long-term stealthy access on compromised appliances.
Reconnaissance methods have also been observed, with attackers employing sleep commands to gauge server responsiveness and identify vulnerabilities. This indirect approach helps them map out the network and pinpoint potential entry points without immediately triggering security alerts. Decoded JSP web shells have also been analyzed, revealing the malicious code deployed by attackers to maintain control.
Mitigation and Future Outlook
Ivanti has responded by releasing version-specific patches for its EPMM software. These patches, including RPM 12.x.0.x and RPM 12.x.1.x, are designed for minimal disruption, requiring no downtime and taking only seconds to apply. Organizations running affected versions are strongly urged to immediately patch their vulnerable systems to prevent further compromise.
Beyond patching, it is crucial for organizations to meticulously review their Ivanti EPMM appliances for any signs of exploitation that may have occurred prior to the implementation of patches. Ivanti, in collaboration with NCSC-NL, has also provided an Exploitation Detection script to assist customers in identifying potential compromises. Unit 42 recommends adopting an “assumed breach” mentality, treating any detected indicators of compromise with the utmost seriousness and conducting thorough investigations to uncover deeper persistence mechanisms.
The ongoing exploitation of these critical Ivanti EPMM vulnerabilities underscores the persistent threat posed by zero-day exploits in enterprise environments. Organizations must remain vigilant, prioritize timely patching, and conduct regular security audits to safeguard their networks against sophisticated cyber threats. The focus now shifts to how effectively organizations implement these patches and detection measures, and what further actions Ivanti will take to reinforce the security posture of its products.