Ivanti has rolled out safety updates to deal with two safety flaws impacting Ivanti Endpoint Supervisor Cellular (EPMM) which have been exploited in zero-day assaults, considered one of which has been added by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Recognized Exploited Vulnerabilities (KEV) catalog.
The critical-severity vulnerabilities are listed beneath –
- CVE-2026-1281 (CVSS rating: 9.8) – A code injection permitting attackers to realize unauthenticated distant code execution
- CVE-2026-1340 (CVSS rating: 9.8) – A code injection permitting attackers to realize unauthenticated distant code execution
They have an effect on the next variations –
- EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fastened in RPM 12.x.0.x)
- EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fastened in RPM 12.x.1.x)
Nonetheless, it bears noting that the RPM patch doesn’t survive a model improve and should be reapplied if the equipment is upgraded to a brand new model. The vulnerabilities can be completely addressed in EPMM model 12.8.0.0, which can be launched later in Q1 2026.
“We’re conscious of a really restricted variety of prospects whose resolution has been exploited on the time of disclosure,” Ivanti mentioned in an advisory, including it doesn’t have sufficient details about the menace actor ways to supply “dependable atomic indicators.”
The corporate famous that CVE-2026-1281 and CVE-2026-1340 have an effect on the In-Home Software Distribution and the Android File Switch Configuration options. These shortcomings don’t have an effect on different merchandise, together with Ivanti Neurons for MDM, Ivanti Endpoint Supervisor (EPM), or Ivanti Sentry.
In a technical evaluation, Ivanti mentioned it has usually seen two types of persistence primarily based on prior assaults focusing on older vulnerabilities in EPMM. This contains deploying net shells and reverse shells for establishing persistence on the compromised home equipment.
“Profitable exploitation of the EPMM equipment will allow arbitrary code execution on the equipment,” Ivanti famous. “Other than lateral motion to the linked atmosphere, EPMM additionally accommodates delicate details about units managed by the equipment.”
Customers are suggested to test the Apache entry log at “/var/log/httpd/https-access_log” to search for indicators of tried or profitable exploitation utilizing the beneath common expression (regex) sample –
^(?!127.0.0.1:d+
.*$).*?/mifs/c/(aft|app)retailer/fob/.*?404
“Respectable use of those capabilities will lead to 200 HTTP response codes within the Apache entry log, whereas profitable or tried exploitation will trigger 404 HTTP response codes,” it defined.
As well as, prospects are being requested to overview the next to search for any proof of unauthorized configuration adjustments –
- EPMM directors for brand new or just lately modified directors
- Authentication configuration, together with SSO and LDAP settings
- New push functions for cellular units
- Configuration adjustments to functions you push to units, together with in-house functions
- New or just lately modified insurance policies
- Community configuration adjustments, together with any community configuration or VPN configuration you push to cellular units
Within the occasion indicators of compromise are detected, Ivanti can also be urging customers to revive the EPMM machine from a identified good backup or construct a substitute EPMM after which migrate information to the machine. As soon as the steps are carried out, it is important to make the next adjustments to safe the atmosphere –
- Reset the password of any native EPMM accounts
- Reset the password for the LDAP and/or KDC service accounts that carry out lookups
- Revoke and substitute the general public certificates used to your EPMM
- Reset the password for some other inner or exterior service accounts configured with the EPMM resolution
The event has prompted CISA so as to add CVE-2026-1281 to the KEV catalog, requiring Federal Civilian Govt Department (FCEB) businesses to use the updates by February 1, 2026.
