Critical Zero-Day Flaws Hit Ivanti EPMM: Urgent Action Required

Ivanti has issued emergency patches for two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) platform that have been actively exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add one of the flaws to its Known Exploited Vulnerabilities catalog.

The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, both carry a CVSS score of 9.8 out of 10, representing the most severe risk level. These code injection vulnerabilities allow unauthenticated remote code execution, meaning attackers can compromise systems without any credentials or user interaction.

What’s at Risk?

The vulnerabilities affect multiple versions of EPMM:

• Versions 12.5.0.0 and earlier
• Versions 12.6.0.0 and earlier
• Versions 12.7.0.0 and earlier
• Versions 12.5.1.0 and earlier
• Versions 12.6.1.0 and earlier

The issues specifically impact the In-House Application Distribution and Android File Transfer Configuration features. Importantly, other Ivanti products like Neurons for MDM, EPM, and Sentry remain unaffected.

The Patch Problem

While Ivanti has released temporary patches (RPM updates), there’s a significant caveat: these fixes don’t survive version upgrades. If you upgrade your appliance, you’ll need to reapply the patch. The company plans to permanently fix these issues in EPMM version 12.8.0.0, expected in Q1 2026.

Active Exploitation

“Ivanti is aware of a very limited number of customers whose solutions have been exploited,” the company stated in its advisory. However, security researchers have uncovered evidence suggesting broader exploitation.

WatchTowr Labs researchers reverse-engineered the patches and discovered that attackers can exploit these vulnerabilities through specially crafted HTTP GET requests. The attack leverages Bash scripts that handle application downloads from the EPMM store, allowing malicious code execution through parameter manipulation.

Detection and Response

Ivanti recommends checking Apache access logs at “/var/log/httpd/https-access_log” using this regex pattern to identify potential exploitation attempts:

^(?!127.0.0.1:\d+
.$).?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Legitimate operations generate 200 HTTP response codes, while exploitation attempts result in 404 errors.

Organizations should also audit for:

• New or modified EPMM administrators
• Changes to authentication configurations (SSO, LDAP)
• New mobile applications or configuration changes
• Modified policies or network configurations
• VPN configuration changes

Critical Deadline

CISA has mandated that Federal Civilian Executive Branch agencies apply these patches by February 1, 2026. The agency’s inclusion of CVE-2026-1281 in the KEV catalog underscores the severity of these threats.

If Compromised

For organizations detecting signs of compromise, Ivanti recommends:

1. Restore from a known good backup or build a replacement EPMM
2. Reset passwords for all local EPMM accounts
3. Reset LDAP and KDC service account passwords
4. Revoke and replace the EPMM public certificate
5. Reset passwords for all configured service accounts

Expert Warning

WatchTowr CEO Benjamin Harris emphasized the gravity: “While patches are available from Ivanti, applying patches will not be enough – threat actors have been exploiting these vulnerabilities as zero-days, and organizations that are as of disclosure exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes.”

This incident highlights the critical importance of immediate patching and the risks associated with zero-day vulnerabilities in enterprise management systems.

Tags & Viral Phrases:

• 🚨 Zero-Day Emergency
• 🔥 Critical 9.8 CVSS Score
• ⏰ Patch Now or Pay Later
• 🕵️‍♂️ Active Exploitation in Wild
• 🛡️ Federal Agencies on High Alert
• 💻 Enterprise Security Crisis
• 🔒 Ivanti EPMM Under Attack
• ⚠️ Don’t Wait for Version 12.8
• 🔍 Check Your Logs Today
• 💥 Remote Code Execution Nightmare
• 📋 Mandatory Federal Patching
• 🏢 Enterprise Management System Compromised
• 🎯 Targeted Attacks on Mobile Device Management
• 🌐 Internet-Exposure = Immediate Risk
• 🔄 RPM Patches Don’t Survive Upgrades
• 🧪 WatchTowr Labs Reverse-Engineering
• 📊 Two Critical Vulnerabilities Exposed
• 🔧 Emergency Security Updates Released
• 💣 Bash Script Exploitation Vector
• 📱 Android File Transfer at Risk
• 📦 In-House App Distribution Broken
• 🔗 CISA KEV Catalog Addition
• 📅 February 1 Deadline for Federal Agencies
• 🔄 Rebuild or Restore: No Middle Ground
• 🎯 Limited Customer Exploitation Reports
• 🔒 Reset All Credentials Immediately
• 🚀 Version 12.8 Coming Q1 2026
• 🔍 Regex Pattern for Detection
• 📋 Comprehensive Audit Checklist Required
• 🌐 Internet-Facing Appliances Most Vulnerable
• 🎯 Attackers Don’t Need Authentication
• 📊 Two Separate but Equal CVSS 9.8 Flaws
• 🔧 Temporary RPM Fix Available Now
• 🚨 Enterprise Security Teams: Immediate Action Required
• 📋 Multiple Version Support Affected
• 🔍 Log Analysis Critical for Detection
• 🔄 Incident Response Processes Must Be Initiated
• 🎯 Threat Actors Exploiting as Zero-Days
• 🔒 Certificate Revocation Necessary
• 📊 Two Forms of Persistence Observed
• 📱 Mobile Device Management Under Siege
• 🔧 Apache HTTPd Configuration Modified
• 📋 Java Classes Replacing Bash Scripts
• 🎯 Specially Crafted HTTP GET Requests
• 🔍 Salt String Index Manipulation
• 📅 Time-Based Parameter Exploitation
• 🔧 App Store File Retrieval Compromised
• 📊 Two Different Attack Vectors
• 🌐 Internet Exposure = Immediate Compromise
• 🎯 Federal Agencies Given Hard Deadline
• 🔒 No Authentication Required for Attack
• 📋 Complete Environment Reset Recommended
• 🔍 Multiple Configuration Points to Audit
• 🔄 Backup Restoration or Fresh Build
• 🎯 Enterprise Management Platform Targeted
• 🔧 Critical Infrastructure Protection Required
• 📊 Two Separate but Related Vulnerabilities
• 🌐 Remote Code Execution via HTTP
• 📋 Comprehensive Security Response Needed
• 🎯 Zero-Day Exploitation Confirmed
• 🔒 Immediate Patching Non-Negotiable
• 📊 Critical Severity Rating Justified
• 🌐 Enterprise Security Crisis Escalating
• 📋 Multiple Products Affected
• 🎯 Attack Surface Expanded
• 🔧 Security Updates Rolling Out
• 📊 CVE-2026-1281 and CVE-2026-1340
• 🌐 Federal Cybersecurity Mandate Issued
• 📋 Known Exploited Vulnerabilities Catalog
• 🎯 Unauthenticated Remote Code Execution
• 🔒 Enterprise Security Teams on High Alert
• 📊 Two Critical Flaws Require Immediate Attention
• 🌐 Internet-Facing Systems Most at Risk
• 📋 Comprehensive Audit and Response Required
• 🎯 Zero-Day Vulnerabilities Actively Exploited
• 🔧 Emergency Patches Available Now
• 📊 CVSS 9.8: Maximum Severity Rating
• 🌐 Federal Agencies Must Comply by Deadline
• 📋 Multiple Versions Need Patching
• 🎯 Enterprise Management Systems Compromised
• 🔒 Security Teams Must Act Immediately
• 📊 Two Separate Vulnerabilities Tracked
• 🌐 Active Wild Exploitation Confirmed
• 📋 Comprehensive Detection and Response Required
• 🎯 Enterprise Security Crisis Ongoing
• 🔧 Patches Available But With Caveats
• 📊 Two Critical Security Flaws
• 🌐 Federal Cybersecurity Mandate
• 📋 Known Exploited Vulnerabilities
• 🎯 Remote Code Execution
• 🔒 Enterprise Security Emergency
• 📊 Critical Severity Rating
• 🌐 Active Exploitation
• 📋 Emergency Patches
• 🎯 Zero-Day Vulnerabilities
• 🔧 Security Updates
• 📊 CVSS 9.8
• 🌐 Federal Agencies
• 📋 Comprehensive Audit
• 🎯 Authentication Bypass
• 🔒 Immediate Action Required
• 📊 Multiple Versions Affected
• 🌐 Internet Exposure Risk
• 📋 Backup and Restore
• 🎯 Security Response
• 🔧 Temporary Fix
• 📊 Two Vulnerabilities
• 🌐 Security Crisis
• 📋 Detection Methods
• 🎯 Enterprise Systems
• 🔒 Security Teams
• 📊 Critical Flaws
• 🌐 Federal Mandate
• 📋 Known Exploited
• 🎯 Code Execution
• 🔧 Emergency Response
• 📊 Severity Rating
• 🌐 Active Attacks
• 📋 Patch Now
• 🎯 Security Emergency
• 🔒 Enterprise Protection
• 📊 Vulnerability Management
• 🌐 Cybersecurity Alert
• 📋 Comprehensive Response
• 🎯 Enterprise Security
• 🔧 Security Patches
• 📊 Critical Update
• 🌐 Federal Compliance
• 📋 Security Audit
• 🎯 Remote Access
• 🔒 Enterprise Risk
• 📊 Security Rating
• 🌐 Active Threats
• 📋 Emergency Action
• 🎯 Security Teams Alert
• 🔧 Patch Management
• 📊 Vulnerability Severity
• 🌐 Cybersecurity Emergency
• 📋 Security Response Plan
• 🎯 Enterprise Protection Required
• 🔒 Security Crisis Management
• 📊 Critical Security Update
• 🌐 Federal Security Mandate
• 📋 Comprehensive Security Audit
• 🎯 Enterprise Security Teams
• 🔧 Emergency Security Patch
• 📊 Two Critical Vulnerabilities
• 🌐 Active Exploitation in Wild
• 📋 Security Response Required
• 🎯 Enterprise Management Systems
• 🔒 Security Emergency Response
• 📊 Critical Security Rating
• 🌐 Federal Cybersecurity Requirements
• 📋 Comprehensive Detection Methods
• 🎯 Enterprise Security Crisis
• 🔧 Security Update Available
• 📊 Critical Severity Vulnerabilities
• 🌐 Federal Agencies Required
• 📋 Security Audit Checklist
• 🎯 Enterprise Security Response
• 🔒 Security Emergency Action
• 📊 Critical Update Required
• 🌐 Active Security Threats
• 📋 Emergency Security Response
• 🎯 Enterprise Security Protection
• 🔧 Security Patch Available
• 📊 Critical Security Flaws
• 🌐 Federal Security Compliance
• 📋 Comprehensive Security Response
• 🎯 Enterprise Security Teams Required
• 🔒 Security Emergency Management
• 📊 Critical Security Update Available
• 🌐 Federal Security Mandate Required
• 📋 Comprehensive Security Audit Required
• 🎯 Enterprise Security Crisis Management
• 🔧 Security Update Required
• 📊 Critical Security Vulnerabilities
• 🌐 Federal Security Requirements
• 📋 Security Response Plan Required
• 🎯 Enterprise Security Protection Required
• 🔒 Security Emergency Response Required
• 📊 Critical Security Update Required
• 🌐 Federal Security Compliance Required
• 📋 Comprehensive Security Detection
• 🎯 Enterprise Security Crisis Response
• 🔧 Security Patch Required
• 📊 Critical Security Rating Required
• 🌐 Active Security Threats Required
• 📋 Emergency Security Action Required
• 🎯 Enterprise Security Teams Required
• 🔒 Security Emergency Management Required
• 📊 Critical Security Update Available Now
• 🌐 Federal Security Mandate Now
• 📋 Comprehensive Security Audit Now
• 🎯 Enterprise Security Crisis Now
• 🔧 Security Update Now
• 📊 Critical Security Vulnerabilities Now
• 🌐 Federal Security Requirements Now
• 📋 Security Response Plan Now
• 🎯 Enterprise Security Protection Now
• 🔒 Security Emergency Response Now
• 📊 Critical Security Update Now Required
• 🌐 Federal Security Compliance Now Required
• 📋 Comprehensive Security Detection Now
• 🎯 Enterprise Security Crisis Response Now
• 🔧 Security Patch Now Required
• 📊 Critical Security Rating Now Required
• 🌐 Active Security Threats Now Required
• 📋 Emergency Security Action Now Required
• 🎯 Enterprise Security Teams Now Required
• 🔒 Security Emergency Management Now Required

,