Active Attacks Exploit Critical Ivanti EPMM Zero-Day, Corporate Networks At Risk - cyberpress.org

Active Attacks Exploit Critical Ivanti EPMM Zero-Day, Corporate Networks At Risk By Varshini February 20, 2026 Categories: Cyber Security NewsVulnerabilitiesZero-day Two newly discovered zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are being actively exploited against organizations using Ivanti Endpoint Manager Mobile (EPMM), a widely deployed mobile device management (MDM) platform. Security researchers warn that attackers can remotely execute code on affected servers without authentication, user interaction, or stolen credentials. The flaws allow a remote attacker to take full control of the MDM infrastructure. Because EPMM manages corporate smartphones, tablets, applications, and access policies, a compromised server effectively gives attackers a pathway directly into an enterprise network. Researchers from Unit 42 reported that attackers are already using the vulnerabilities in real-world intrusions. Observed activity includes establishing reverse shells, deploying web shells, conducting reconnaissance, and downloading additional malware. Some attackers immediately install persistent backdoors designed to survive even after patches are applied. The campaign has impacted organizations across the United States, Germany, Australia, and Canada. Affected sectors include government agencies, healthcare providers, manufacturing firms, legal and professional services, and high-technology companies. Due to active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog, signaling an urgent patching requirement. How The Vulnerability Works CVE-2026-1281 carries a severity score of 9.8 and is a remote code execution vulnerability. The flaw exists in legacy bash scripts used by the Apache web server for URL rewriting. Attackers send specially crafted HTTP requests to EPMM endpoints and manipulate variables processed by the script. Through a technique known as bash arithmetic expansion, the system interprets attacker-controlled input as commands and executes them on the server. The second flaw, CVE-2026-1340, affects the Android file transfer feature and uses a similar mechanism in a different script. Both vulnerabilities can be triggered through specific URLs exposed to the internet. Attackers are using automated scanners to locate vulnerable servers. In many cases, they first send a harmless command, such as a short delay, to confirm exploitation. Once verified, they deploy payloads including web shells, cryptominers, and persistent access tools. Researchers also observed attempts to download monitoring agents and connect compromised servers to command-and-control infrastructure. Patching and Mitigation Ivanti released security updates in January 2026 and urged customers to install the appropriate RPM patch immediately. The company stated the update requires no downtime and does not affect functionality. Security teams are also advised to review systems for signs of compromise after patching, as attackers may already have established hidden access. More than 4,400 exposed EPMM instances have been observed on the internet, indicating a large potential attack surface. Experts recommend isolating management interfaces, restricting external access, monitoring logs for suspicious requests, and adopting an “assumed breach” mindset. According to Palo Alto Networks, the rapid weaponization of these vulnerabilities highlights a growing cybersecurity trend: attackers are integrating newly disclosed flaws into automated attack frameworks within hours. Organizations that delay patching internet-facing systems now face immediate and significant risk of network compromise. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles Anthropic Introduces Claude Mythos Preview with Advanced Zero-Day Discovery Capabilities Cyber Security News April 8, 2026 New GreyNoise Tool Spots C2 Traffic On Hacked Routers and Firewalls Cyber Security News April 8, 2026 Remus Infostealer Emerges With Credential Theft and Advanced Evasion Tricks Cyber Security News April 8, 2026 Hackers Target Adobe Reader Users with Sophisticated Zero-Day Exploit Cyber Security News April 8, 2026 IBM Security Verify Access Vulnerabilities Allow Remote Attackers to Access Sensitive Data Cyber Security News April 8, 2026 Related Stories Cyber Security News Anthropic Introduces Claude Mythos Preview with Advanced Zero-Day Discovery Capabilities AnuPriya - April 8, 2026 Cyber Security News New GreyNoise Tool Spots C2 Traffic On Hacked Routers and Firewalls Varshini - April 8, 2026 Cyber Security News Remus Infostealer Emerges With Credential Theft and Advanced Evasion Tricks Varshini - April 8, 2026 Cyber Security News Hackers Target Adobe Reader Users with Sophisticated Zero-Day Exploit AnuPriya - April 8, 2026 Cyber Security News IBM Security Verify Access Vulnerabilities Allow Remote Attackers to Access Sensitive Data AnuPriya - April 8, 2026 Cyber Security News Multiple OpenSSL Flaws Expose Sensitive Data in RSA KEM Handling AnuPriya - April 8, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: