Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have been actively exploited, prompting the company to release urgent security updates. These flaws, CVE-2026-1281 and CVE-2026-1340, both carry a CVSS score of 9.8, allowing unauthenticated remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the severity of the issue. These vulnerabilities affect specific versions of EPMM, including 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior, with fixes available in RPM 12.x.0.x, 12.x.1.x, and the upcoming EPMM 12.8.0.0 release in Q1 2026. The impact of these flaws extends to the In-House Application Distribution and Android File Transfer Configuration features, but Ivanti assures that other products like Ivanti Neurons for MDM, Endpoint Manager (EPM), and Sentry remain unaffected. Technical analysis reveals that attackers have exploited these vulnerabilities to deploy web shells and reverse shells for persistence on compromised appliances. Successful exploitation can lead to arbitrary code execution and access to sensitive device information. To detect exploitation attempts, users are advised to monitor the Apache access log for 404 HTTP response codes. Additionally, Ivanti recommends reviewing authentication configurations, push applications, and network settings for unauthorized changes. In the event of a compromise, users should restore from backups or rebuild EPMM, then secure the environment by resetting passwords, revoking certificates, and updating configurations. The urgency of these updates is underscored by CISA's requirement for Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 1, 2026. This incident highlights the ongoing battle against zero-day exploits and the importance of prompt security updates. Stay tuned for more exclusive cybersecurity insights and follow our updates on Google News, Twitter, and LinkedIn.
