Critical Ivanti Endpoint Manager Mobile (EPMM) Zero-day Exploited in the Wild (CVE-2026-1281 & CVE-2
Summary:
On January 29, 2026, Ivanti disclosed two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting Ivanti Endpoint Manager Mobile (EPMM). Both vulnerabilities are pre-authentication code injection flaws that allow an unauthenticated remote attacker to execute arbitrary commands on the affected appliance with high privileges.
The vulnerabilities stem from the improper handling of input within specific features: the "In-House Application Distribution" and "Android File Transfer Configuration" components. These flaws were actively exploited in the wild prior to disclosure, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to immediately add CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog with an urgent remediation deadline.
Security Officer Comments:
The impact of these vulnerabilities is severe, as Ivanti EPMM serves as a central hub for managing and securing an organization’s mobile device fleet. Successful exploitation grants attackers unauthenticated Remote Code Execution (RCE), which can lead to the full compromise of the EPMM appliance.
Beyond initial access, threat actors can gain access to sensitive Personally Identifiable Information (PII) of mobile users, including names, email addresses, phone numbers, and GPS data, as well as unique device identification information. Because the EPMM server often holds a privileged position within the corporate network, it can be used as a staging point for lateral movement to other internal systems, such as connected Ivanti Sentry deployments or authentication servers like LDAP and SSO.
Historically, attackers targeting EPMM have deployed web shells and reverse shells to maintain persistent access even after initial discovery.
Ivanti EPMM is commonly used by enterprise organizations with large remote workforces. It is also used to protect and manage mobile devices and tablets.
Suggested Corrections:
Ivanti has released emergency interim patches in the form of RPM scripts that should be applied immediately to all on-premises EPMM installations. It is critical to note that these RPM patches do not persist across version upgrades; if the appliance is updated to a new version, the patch must be reinstalled until the permanent fix is released in EPMM version 12.8.0.0.
For organizations that suspect a compromise, Ivanti recommends a more conservative recovery strategy, such as building a new EPMM appliance and migrating data or restoring from a known-good backup. Post-remediation, security teams should reset all local account passwords, rotate service account credentials (LDAP/KDC), and replace public certificates.
Organizations are also advised to monitor Apache access logs for 404 response codes on the /mifs/c/aftstore/fob/ and /mifs/c/appstore/fob/ endpoints, which may indicate attempted or successful exploitation.
Link(s):
https://www.rapid7.com/blog/post/et...xploited-in-the-wild-eitw-cve-2026-1281-1340/
On January 29, 2026, Ivanti disclosed two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting Ivanti Endpoint Manager Mobile (EPMM). Both vulnerabilities are pre-authentication code injection flaws that allow an unauthenticated remote attacker to execute arbitrary commands on the affected appliance with high privileges.
The vulnerabilities stem from the improper handling of input within specific features: the "In-House Application Distribution" and "Android File Transfer Configuration" components. These flaws were actively exploited in the wild prior to disclosure, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to immediately add CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog with an urgent remediation deadline.
Security Officer Comments:
The impact of these vulnerabilities is severe, as Ivanti EPMM serves as a central hub for managing and securing an organization’s mobile device fleet. Successful exploitation grants attackers unauthenticated Remote Code Execution (RCE), which can lead to the full compromise of the EPMM appliance.
Beyond initial access, threat actors can gain access to sensitive Personally Identifiable Information (PII) of mobile users, including names, email addresses, phone numbers, and GPS data, as well as unique device identification information. Because the EPMM server often holds a privileged position within the corporate network, it can be used as a staging point for lateral movement to other internal systems, such as connected Ivanti Sentry deployments or authentication servers like LDAP and SSO.
Historically, attackers targeting EPMM have deployed web shells and reverse shells to maintain persistent access even after initial discovery.
Ivanti EPMM is commonly used by enterprise organizations with large remote workforces. It is also used to protect and manage mobile devices and tablets.
- Federal agencies use it to secure government-issued mobile devices and ensure they comply with strict security policies.
- Critical infrastructure entities may use it to manage devices or tablets used in the field.
- Large organizations may use EPMM to segment corporate data from personal data on employees' phones.
- Managed Service Providers (MSPs) may manage clients mobile fleets using EPMM.
Suggested Corrections:
Ivanti has released emergency interim patches in the form of RPM scripts that should be applied immediately to all on-premises EPMM installations. It is critical to note that these RPM patches do not persist across version upgrades; if the appliance is updated to a new version, the patch must be reinstalled until the permanent fix is released in EPMM version 12.8.0.0.
For organizations that suspect a compromise, Ivanti recommends a more conservative recovery strategy, such as building a new EPMM appliance and migrating data or restoring from a known-good backup. Post-remediation, security teams should reset all local account passwords, rotate service account credentials (LDAP/KDC), and replace public certificates.
Organizations are also advised to monitor Apache access logs for 404 response codes on the /mifs/c/aftstore/fob/ and /mifs/c/appstore/fob/ endpoints, which may indicate attempted or successful exploitation.
Link(s):
https://www.rapid7.com/blog/post/et...xploited-in-the-wild-eitw-cve-2026-1281-1340/