Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, CVE-2026-1281 and CVE-2026-1340 (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory.
Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into 4,400+ EPMM instances, and noted threat actors shifting from initial exploitation toward dormant backdoors intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as 83%) originated from a single IP, 193.24.123.42, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, telnetd, and GLPI).
Sources
Related Stories
Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two **critical, actively exploited** Ivanti Endpoint Manager Mobile (*EPMM*) vulnerabilities—**CVE-2026-1281** and **CVE-2026-1340**—described as unauthenticated code-injection issues enabling **remote code execution (RCE)** with a **CVSS 9.8** rating. Ivanti reported exploitation affecting a *very limited number* of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings. Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM **12.5.x, 12.6.x, and 12.7.x** (including **12.5.1.0** and **12.6.1.0** and earlier as specified), while Ivanti’s cloud offerings (e.g., *Ivanti Neurons for MDM*) and *Ivanti Endpoint Manager (EPM)* are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in **EPMM 12.8.0.0**; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
1 months ago
Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting **Ivanti Endpoint Manager Mobile (EPMM)** via two critical vulnerabilities—`CVE-2026-1281` (authentication bypass) and `CVE-2026-1340` (remote code execution)—with activity consistent with **initial access broker (IAB)** tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale. Post-exploitation behavior described in research includes deployment of a **dormant, in-memory Java class loader** backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at `/mifs/403.jsp`. Separately, GreyNoise telemetry attributes **83% of observed Ivanti exploitation** to a single IP hosted on **bulletproof infrastructure** (PROSPERO OOO, `AS200593`) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning **Oracle WebLogic** on port `7001`). GreyNoise also observed prevalent “blind” RCE verification using **OAST DNS callbacks** (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
1 months ago
Ivanti Endpoint Manager Mobile Pre-Auth RCE Zero-Days (CVE-2026-1281, CVE-2026-1340)
Ivanti issued emergency patches for two **critical zero-day** vulnerabilities in *Endpoint Manager Mobile (EPMM)*—**CVE-2026-1281** and **CVE-2026-1340**—described as code-injection flaws that can enable **pre-auth remote code execution**. Reporting indicates successful exploitation could allow attackers to run arbitrary code and potentially access sensitive device and user data managed by EPMM, elevating risk for organizations using the product for mobile device management. Technical discussion and community commentary amplified the disclosure, pointing to detailed research write-ups (including analysis focused on exploitation mechanics) and reinforcing the urgency of patching internet-exposed EPMM instances. Separate industry coverage during the same period also emphasized broader 2026 security priorities (AI-enabled social engineering, quantum-readiness, and general vulnerability management), but did not add incident-specific details about the Ivanti EPMM zero-days beyond the general call to improve patching discipline.
1 months ago