Ivanti has released a series of critical updates to address two security vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). These vulnerabilities are being actively exploited in zero-day attacks, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to immediately add one of the vulnerabilities to its catalog of known threats.
The technical picture is alarming: the vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, have a CVSS score of 9.8. In less technical terms, these are code injection flaws that allow attackers to remotely execute code without any authentication.
The issue affects a wide range of versions, from 12.5.0.0 to 12.7.0.0. While Ivanti has provided corrective patches in RPM format, the company has issued a crucial warning: these workarounds do not survive future version updates. In practice, if the appliance is updated, the patch must be manually reinstalled.
A final resolution is not expected until the release of version 12.8.0.0, scheduled for the end of the first quarter of 2026. Ivanti confirmed that it is aware of a limited number of customers already affected, but admitted that it does not yet have enough information on the attackers’ tactics to provide certain indicators of compromise.
The vulnerabilities specifically affect internal app distribution functions and file transfer configuration on Android systems. Fortunately, the company has clarified that other products in its portfolio, including Ivanti Sentry and Ivanti Neurons for MDM, are not affected by the exposure.
Analysis reveals that attackers typically aim to establish persistence on compromised systems through the use of web shells and reverse shells. Once they gain control of the EPMM appliance, the risk extends to lateral movement across the entire corporate network and the exfiltration of sensitive data from managed mobile devices.
To identify any intrusion attempts, Ivanti recommends analyzing Apache access logs. A suspicious sign is the presence of HTTP 404 response codes for specific attempts to access app distribution features, while legitimate traffic should typically return a 200.
In addition to analyzing technical logs, administrative control of the control panels is essential. Experts recommend monitoring for the possible appearance of new unauthorized administrator profiles or suspicious changes to the SSO and LDAP authentication systems that could indicate ongoing tampering.
Audits must also extend to push applications and security policies sent to mobile devices. Any unplanned changes in the configuration of internal apps or corporate VPN settings should be considered a potential red flag of a breach.
While awaiting the final fix expected in March, human vigilance remains the last line of defense. Security managers are urged to carefully review every change to the network configuration and policies sent to mobile devices to prevent access to the EPMM from becoming an open door to the core of the infrastructure.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
