Ivanti reveals a critical security threat: Zero-day attacks exploiting EPMM flaws!
Ivanti has uncovered a serious security issue, disclosing two critical vulnerabilities in their Ivanti Endpoint Manager Mobile (EPMM) software, identified as CVE-2026-1281 and CVE-2026-1340. These flaws have been exploited in zero-day attacks, putting users at risk.
The vulnerabilities allow remote code injection, enabling attackers to execute arbitrary code on devices without authentication. With a CVSS score of 9.8, these flaws are considered critical. Ivanti confirms a limited number of customers were affected, but the impact could be significant.
To address this, Ivanti has released RPM scripts to mitigate the issue for specific EPMM versions. They recommend using RPM 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for versions 12.5.1.0 and 12.6.1.0. Applying these patches is crucial, and Ivanti assures there's no downtime or functional impact.
However, a catch lies in the hotfixes, which don't persist through version upgrades. Users must reapply them until a permanent fix arrives with EPMM version 12.8.0.0 in Q1 2026.
The consequences of successful exploitation are severe. Attackers gain access to sensitive information, including administrator and user details, email addresses, and data from managed mobile devices. This data includes phone numbers, IP addresses, installed apps, and device IDs like IMEI and MAC addresses.
And here's where it gets controversial: If location tracking is enabled, attackers can access device location data, potentially tracking users' movements. Additionally, attackers can manipulate device configurations, including authentication settings, through the EPMM API or web console.
Ivanti's advisories confirm zero-day exploitation but lack comprehensive indicators of compromise due to the limited number of affected customers. They provide guidance on detecting exploitation, suggesting admins review access logs for suspicious activity.
But there's a twist: Ivanti warns that compromised devices may have altered or deleted logs, making detection challenging. They recommend restoring from backups or rebuilding the appliance for affected systems.
After restoration, Ivanti suggests several security measures: resetting passwords for EPMM accounts, LDAP/KDC service accounts, and other service accounts; revoking and replacing public certificates; and reviewing Sentry logs, as EPMM and Sentry work together to manage mobile device traffic.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the severity of CVE-2026-1281, adding it to their Known Exploited Vulnerabilities catalog. Federal agencies are urged to mitigate or discontinue vulnerable systems by February 1, 2026.
Interestingly, CISA hasn't included CVE-2026-1340 in the KEV, leaving questions about its exploitation status. This discrepancy invites further investigation and discussion.
In related news, CISA previously analyzed malware kits used in attacks exploiting other EPMM zero-day vulnerabilities. These incidents highlight the ongoing challenges in securing mobile device management systems.
As the security landscape evolves, staying vigilant and proactive is essential. Whether managing secrets or securing AI-generated code, organizations must adapt to emerging threats. This incident serves as a reminder to prioritize security at every stage of development.
