Ivanti came out with emergency security patches to address two newly discovered critical vulnerabilities. These vulnerabilities CVE-2026-1281 CVE-2026-1340 affect its Endpoint Manager Mobile (EPMM) software. These vulnerabilities carry a CVSS score of 9.8. They allow unauthenticated remote code execution, putting our collective EPMM using organizations at grave risk. We encourage our users to take action as soon as possible, especially since threat actors have already started exploiting these vulnerabilities.
The affected versions are EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, as well as releases 12.7.0.0 and prior. Furthermore, EPMM versions 12.5.1.0 and 12.6.1.0 are affected. Ivanti has released patches that modify the Apache HTTPd configuration, replacing two Bash shell scripts with newly introduced Java classes to mitigate these vulnerabilities.
Understanding the Vulnerabilities
The vulnerabilities mostly affect the In-House Application Distribution and Android File Transfer Configuration functions of EPMM. Successfully exploiting these flaws can enable attackers to independently run arbitrary code on the appliance. This will open their environments to attacks that seek to access and gain control of sensitive data.
Ivanti is only aware of a handful of customers whose solutions were exploited at the time of the disclosure. They took it a step further, reporting this information immediately. This recognition highlights the need for users to adopt the most recent security patches as quickly as possible.
“Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance,” – Ivanti
Any organization using EPMM should audit their systems and develop processes to monitor for exploitation of emerging vulnerabilities. Users are urged to inspect their apache access logs, located at /var/log/httpd/https-access_log for suspicious activity. Typical legitimate usage results in outputting 200 HTTP response codes. In both successful and attempted exploits, 404 HTTP response codes are triggered.
Recommendations for Affected Users
As security experts urge, organizations need to do more than panic when they identify a compromise. It’s not just patching it,” warned Benjamin Harris, a cybersecurity consultant for the non-profit Institute for Critical Infrastructure Technology.
“While patches are available from Ivanti, applying patches will not be enough – threat actors have been exploiting these vulnerabilities as zero-days, and organizations that are as of disclosure exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes,” – Benjamin Harris
In light of these vulnerabilities, users should always restore their devices from a trusted backup. Or, they can develop a new EPMM from the ground up and transition their data over to it. Picture this, an alternate universe. Just a note, the RPM patch will not survive a version upgrade, so you will have to reapply it after you upgrade the appliance to a newer version.
CISA Involvement and Ongoing Threats
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This step further reveals just how dire things have gotten. The agency’s intervention underscores the strong public sentiment against possible abuses by bad actors.
Now more than ever, organizations need to be vigilant. In their analysis of previous attacks exploiting older vulnerabilities in EPMM, Ivanti has frequently found two notable types of persistence. Ongoing oversight and swift enforcement will be crucial in protecting this private information.
“Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache access log, whereas successful or attempted exploitation will cause 404 HTTP response codes,” – Ivanti
Security researchers from watchTowr Labs remarked on the complexity of the vulnerabilities: “Someone knows bash far too well and we love it.” We applaud their statement for recognizing the technical depth that is required to exploit these vulnerabilities.