Ivanti has disclosed two crucial vulnerabilities in Ivanti Endpoint Supervisor Cell (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that had been exploited in zero-day assaults.
The issues are code-injection vulnerabilities that enable distant attackers to execute arbitrary code on susceptible gadgets with out authentication. Each vulnerabilities have a CVSS rating of 9.8 and are rated as crucial.
“We’re conscious of a very restricted variety of clients whose answer has been exploited on the time of disclosure,” warns Ivanti.
Ivanti has launched RPM scripts to mitigate the vulnerabilities for affected EPMM variations:
- Use RPM 12.x.0.x for EPMM variations 12.5.0.x, 12.6.0.x, and 12.7.0.x
- Use RPM 12.x.1.x for EPMM variations 12.5.1.0 and 12.6.1.0
The corporate says there isn’t any downtime required to use the patches and that there isn’t any useful influence, so it’s strongly suggested to use them as quickly as doable.
Nevertheless, the corporate does warn that the hotfixes don’t survive a model improve and should be reapplied if the equipment is upgraded earlier than a everlasting repair is offered.
The vulnerabilities shall be completely mounted in EPMM model 12.8.0.0, which shall be launched later in Q1 2026.
Ivanti says profitable exploitation permits attackers to execute arbitrary code on the EPMM equipment, permitting attackers entry to a variety of info saved on the platform.
This info consists of administrator and person names, usernames, and e-mail addresses, in addition to details about managed cell gadgets resembling telephone numbers, IP addresses, put in functions, and system identifiers like IMEI and MAC addresses.
If location monitoring is enabled, attackers might additionally entry system location knowledge, together with GPS coordinates and areas of nearest cell towers.
Ivanti warns that attackers might additionally use the EPMM API or net console to make configuration adjustments to gadgets, together with authentication settings.
Actively exploited zero-days
Ivanti’s advisories state that each vulnerabilities had been exploited as zero-days, however the firm doesn’t have dependable indicators of compromise (IOC) because of the small variety of identified impacted clients.
Nevertheless, the corporate has printed technical steering on detecting exploitation and post-exploitation conduct that admins can use.
Ivanti says each vulnerabilities are triggered by way of the In-Home Utility Distribution and Android File Switch Configuration options, with tried or profitable exploitation showing within the Apache entry log at /var/log/httpd/https-access_log.
To assist defenders establish suspicious exercise, Ivanti offered an everyday expression that can be utilized to search for exploitation exercise within the entry logs:
^(?!127.0.0.1:d+ .*$).*?/mifs/c/(aft|app)retailer/fob/.*?404The expression will record log entries that match exterior requests (not localhost visitors) focusing on susceptible endpoints that return 404 HTTP response codes.
In keeping with Ivanti, authentic requests to those endpoints sometimes return an HTTP 200 response. Exploitation makes an attempt, whether or not profitable or tried, return 404 errors, making these entries a robust indicator {that a} system has been focused.
Nevertheless, Ivanti warns that after a tool is compromised, attackers can modify or delete logs to cover their exercise. If off-device logs can be found, these must be reviewed as a substitute.
If a tool is suspected of being compromised, Ivanti doesn’t suggest that admins clear the system.
As a substitute, clients ought to restore EPMM from a known-good backup taken earlier than exploitation occurred or rebuild the equipment and migrate knowledge to a alternative system.
After restoring techniques, Ivanity suggests performing these actions:
Whereas the vulnerabilities have an effect on solely Ivanti Endpoint Supervisor Cell (EPMM), the corporate recommends reviewing Sentry logs as nicely.
“Whereas EPMM could be restricted to a DMZ with little to no entry to the remainder of a company community, Sentry is particularly supposed to tunnel particular varieties of visitors from cell gadgets to inside community belongings,” reads Ivanti’s evaluation steering for CVE-2026-1281 & CVE-2026-1340.
“If you observed that your EPMM equipment is impacted, we suggest you evaluation the techniques that Sentry can entry for potential recon or lateral motion.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added CVE-2026-1281 to its Identified Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited.
Federal civilian companies have been given till February 1, 2026, to use vendor mitigations or discontinue use of susceptible techniques underneath Binding Operational Directive 22-01.
It’s unclear why CISA didn’t add each vulnerabilities to the KEV, and BleepingComputer contacted Ivanti to substantiate that each had been exploited.
In September, CISA printed an evaluation of malware kits deployed in assaults exploiting two different Ivanti Endpoint Supervisor Cell (EPMM) zero-days. These flaws had been mounted in Might 2025, however had been beforehand exploited in zero-day assaults as nicely.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your staff construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
