Two Active Zero-Day Vulnerabilities Targeting Ivanti EPMM Exposed
Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting Ivanti Endpoint Manager Mobile (EPMM), are being actively exploited, allowing attackers to remotely execute arbitrary code without authentication. The widespread exploitation has been documented by Unit 42, presenting significant risks to various sectors across multiple countries.
CVE-2026-1281 is a remote code execution (RCE) vulnerability related to legacy bash scripts in the Ivanti EPMM system, which attackers can exploit through HTTP requests to execute malicious commands. Exploitation can lead to the establishment of reverse shells, installation of web shells, reconnaissance, and malware downloads. Its counterpart, CVE-2026-1340, also utilizes unsafe bash scripting and affects the Ivanti Android File Transfer mechanism. These vulnerabilities affect organizations in sectors like government, healthcare, and technology in the U.S., Germany, Australia, and Canada.
In response to this critical threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities Catalog, acknowledging the urgency for organizations to apply the recommended patches to prevent exploitation. Despite the urgent need for remediation, some attackers have reportedly leveraged these vulnerabilities to set up dormant backdoors, ensuring persistence even after patches are applied.
The significance of these vulnerabilities cannot be overstated, as compromised systems can lead to unauthorized access and substantial operational risks. The ease of exploitation particularly highlights the necessity for organizations to adopt a vigilant security posture concerning their mobile device management interfaces.
Organizations should utilize threat intelligence, next-gen firewalls, and vulnerability scanning tools to detect exploit attempts related to these CVEs proactively. Regular monitoring of logs, along with integration into SIEM solutions, can enhance incident response efforts against new threats.
Indicators of Compromise (IOCs):
- IP Addresses: 23.227.199.80, 64.7.199.177, 83.138.53.139, 84.72.235.18, etc.
- Malicious URLs: hxxp://152.32.173.138/U26d86f1899513347.5b5b0c1b, hxxp://64.7.199.177:18899/93.187.56.19, and others.
- Web Shells: /mi/tomcat/webapps/mifs/401.jsp, /mi/tomcat/webapps/mifs/403.jsp, /mi/tomcat/webapps/mifs/1.jsp.
