Ivanti EPMM Zero-Day RCE Flaws Actively Exploited
These articles are AI-generated summaries. Please check the original sources for full details.
Ivanti EPMM Zero-Day RCE Flaws Actively Exploited
Ivanti has released security updates to address two critical-severity vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, with one of the flaws, CVE-2026-1281, added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities, CVE-2026-1281 and CVE-2026-1340, both have a CVSS score of 9.8, indicating a high level of severity.
Why This Matters
The exploitation of these vulnerabilities allows attackers to achieve unauthenticated remote code execution, which can lead to significant consequences, including lateral movement and unauthorized access to sensitive information. The fact that these flaws have been actively exploited in zero-day attacks underscores the importance of prompt patching and vigilance in vulnerability management. According to Ivanti, a very limited number of customers have been exploited at the time of disclosure, highlighting the need for immediate action to prevent further compromises.
Key Insights
- CVE-2026-1281 and CVE-2026-1340 are both code injection vulnerabilities that allow for unauthenticated remote code execution, with a CVSS score of 9.8.
- The vulnerabilities affect Ivanti EPMM versions before 12.8, specifically versions 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior.
- CISA has added CVE-2026-1281 to the KEV catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the updates by February 1, 2026.
Working Example
# Example of how to check the Apache access log for signs of attempted or successful exploitation
grep -E "^(?!127\.0\.0\.1:\d+.*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404" /var/log/httpd/https-access_logPractical Applications
- Use Case: Organizations using Ivanti EPMM should immediately apply the security updates and monitor their systems for signs of exploitation, such as unusual HTTP requests or changes in administrator accounts.
- Pitfall: Failing to apply the patches or not thoroughly investigating for signs of compromise can lead to further exploitation and significant security breaches.
References:
Continue reading
Next article
CSS Evolution: New Features and Future Directions
Related Content
CISA Adds Critical Roundcube RCE and XSS Flaws to KEV Catalog
CISA adds two actively exploited Roundcube flaws to KEV, including a 9.9-rated RCE weaponized within 48 hours of public disclosure.
CISA Flags Actively Exploited SolarWinds Web Help Desk RCE
CISA adds SolarWinds Web Help Desk RCE flaw to KEV catalog with a CVSS score of 9.8, ordering federal agencies to patch by February 2026.
cPanel and WHM Patch Critical Vulnerabilities to Prevent RCE and Privilege Escalation
cPanel and WHM released patches for three vulnerabilities, including two CVSS 8.8 flaws, to prevent arbitrary code execution and privilege escalation.