Ivanti has issued critical security updates for its Endpoint Manager Mobile (EPMM) product following exploitations of two zero-day vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added one of these flaws, CVE-2026-1281, to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action from federal agencies.
The vulnerabilities, both rated with a critical CVSS score of 9.8, allow for unauthenticated remote code execution. They are present in specific versions of EPMM, including 12.5.0.0, 12.6.0.0, and 12.7.0.0 and prior, as well as 12.5.1.0 and 12.6.1.0 and prior. While Ivanti has released RPM patches for these issues, they are not permanent solutions and must be reapplied after version upgrades. A permanent fix is expected in EPMM version 12.8.0.0, slated for release in the first quarter of 2026.
Ivanti EPMM Vulnerabilities Exposed
The exploited vulnerabilities, CVE-2026-1281 and CVE-2026-1340, impact the In-House Application Distribution and Android File Transfer Configuration features within Ivanti Endpoint Manager Mobile (EPMM). Ivanti has confirmed a limited number of customers experienced exploitation prior to the disclosure of these flaws. The company stated it lacks sufficient threat actor intelligence to provide detailed indicators of compromise.
The technical analysis from Ivanti reveals that successful exploitation can grant attackers arbitrary code execution on the EPMM appliance. This capability opens the door for lateral movement within the connected network environment and access to sensitive information regarding the devices managed by the compromised appliance. Past attacks targeting older EPMM vulnerabilities have typically involved the deployment of web shells and reverse shells to establish persistence.
Other Ivanti products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), and Ivanti Sentry, are not affected by these specific vulnerabilities.
Mitigation and Detection Strategies for Ivanti EPMM
To help organizations detect and mitigate potential compromises, Ivanti has provided specific guidance. Users are advised to scrutinize their Apache access logs, particularly the “/var/log/httpd/https-access_log” file. A specific regular expression (regex) pattern has been shared to identify attempted or successful exploitation:
^(?!127.0.0.1:d+
.*$).*?/mifs/c/(aft|app)store/fob/.*?404
Ivanti explained that legitimate uses of these features typically result in HTTP 200 response codes in the Apache access log, whereas exploitative activity will generate 404 HTTP response codes. This method offers a direct way to identify suspicious traffic patterns.
Beyond log analysis, customers are urged to conduct thorough reviews of their EPMM configurations for any unauthorized changes. This includes scrutinizing:
- New or recently modified EPMM administrator accounts.
- Changes to authentication configurations, encompassing Single Sign-On (SSO) and LDAP settings.
- The introduction of new push applications to mobile devices.
- Modifications to existing pushed application configurations, particularly in-house applications.
- Any new or recently altered policies.
- Network configuration changes applied to mobile devices, including VPN configurations.
In the event that signs of compromise are detected, Ivanti recommends restoring the affected EPMM device from a known good backup or establishing a new EPMM instance and migrating data. Following this remediation, several critical security steps should be implemented to secure the environment. These include resetting passwords for all local EPMM accounts, as well as for LDAP and KDC service accounts used for lookups. Furthermore, the public certificate used by the EPMM solution should be revoked and replaced, and passwords for any other internal or external service accounts configured within the EPMM solution must be reset.
CISA Mandates Action on Exploited Vulnerability
The addition of CVE-2026-1281 to the CISA KEV catalog signifies its immediate threat to U.S. federal agencies. Federal Civilian Executive Branch (FCEB) agencies are now mandated to apply the necessary security updates by February 1, 2026. This directive underscores the severity of the vulnerability and the critical need for swift patching to prevent potential widespread impact and further exploitation.