Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in the Wild, Targeting Corporate Networks - gbhackers.com

Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in the Wild, Targeting Corporate Networks cyber securityCyber Security NewsVulnerabilities 2 min.Read Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in the Wild, Targeting Corporate Networks By Mayura Kathir February 18, 2026 Share Facebook Twitter Pinterest WhatsApp Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, are being actively exploited to compromise enterprise mobile fleets and corporate networks. Both are remote code execution (RCE) vulnerabilities that allow unauthenticated attackers to run arbitrary commands on exposed EPMM servers, effectively giving them full control of the mobile device management (MDM) infrastructure without user interaction. Ivanti and multiple security vendors have confirmed in-the-wild exploitation, and CVE-2026-1281 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for patching. Unit 42 reports that attackers are using these vulnerabilities to establish reverse shells, deploy web shells, conduct reconnaissance and download additional malware onto vulnerable EPMM appliances. Attempts to execute reverse shells (Source : Unit 42). The campaign has impacted organizations across state and local government, healthcare, manufacturing, professional and legal services and high-technology sectors in the United States, Germany, Australia and Canada. EPMM Zero-Day Vulnerabilities Threat actors are increasingly moving from initial probing to deploying dormant backdoors designed to maintain long-term access even after patches are applied, raising the risk of stealthy persistence and lateral movement inside corporate networks. CVE-2026-1281, rated CVSS 9.8, is a critical code injection flaw in legacy bash scripts used by the Apache web server for URL rewriting in EPMM’s In-House Application Distribution feature. The vulnerable RewriteMap configuration invokes a script at /mi/bin/map-appstore-url, where attackers can manipulate parameters such as st and h in crafted HTTP GET requests to /mifs/c/appstore/fob/ to trigger bash arithmetic expansion and execute injected commands. CVE-2026-1340, also CVSS 9.8, affects the Android File Transfer mechanism via a similar unsafe bash scripting pattern in a separate script (map-aft-store-url), reachable through /mifs/c/aftstore/fob/ endpoints. Observed post-exploitation activity includes attempts to download a second-stage “/slt” script to install web shells, cryptominers or persistent backdoors, as well as deployment of tools like the Nezha monitoring agent to broaden attacker visibility. URL and commands from an exploitation attempt (Source : Unit 42). Adversaries have also been seen using sleep-based timing commands to verify RCE success and uploading lightweight JSP web shells with names such as 401.jsp, 403.jsp and 1.jsp into /mi/tomcat/webapps/mifs/, which can grant full administrative control when the web server runs with elevated privileges. Mitigations Ivanti’s January 2026 security advisory instructs customers to apply RPM 12.x.0.x or 12.x.1.x packages, depending on their installed version, noting that the RPMs are version-specific and require no downtime or functional changes. If the connection hangs for exactly five seconds before returning an error (e.g., a 404 error), the attacker knows they have achieved RCE and will follow up immediately with malicious payloads.   Attempts at reconnaissance (Source : Unit 42). Ivanti further urges organizations to patch immediately, then review appliances for signs of compromise using provided indicators of compromise, analysis guidance and an exploitation detection script developed with NCSC-NL. Palo Alto Networks reports more than 4,400 internet-exposed EPMM instances in Cortex Xpanse telemetry and notes that customers can leverage Advanced URL Filtering, Advanced DNS Security, Cortex Xpanse and Next-Generation Firewalls with Advanced Threat Prevention to help detect and block exploitation activity. The rapid weaponization of these vulnerabilities shows how quickly new CVEs are being folded into automated scanning and exploitation frameworks, leaving unpatched edge devices highly exposed. Organizations with internet-facing EPMM deployments should adopt an assumed-breach mindset, treat any indicator of exploitation as a potential full compromise. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. Tags cyber security Cyber Security News Mayura Kathirhttps://gbhackers.com/ Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Network Penetration Testing Checklist – 2025 March 2, 2025 0 Network penetration testing is a cybersecurity practice that simulates... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareAntispoofingANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramMore Chrome Google Locks Chrome Sessions to Devices to Stop Cookie Theft 0 Google has officially launched a major security upgrade to... AI Claude and ChatGPT Exploited in Sweeping Cyber Campaign Against Government Agencies 0 In a groundbreaking technical report released by Gambit Security... cyber security Storm-2755 Uses AiTM Hijacking to Divert Employee Salaries 0 Hackers are abusing adversary-in-the-middle (AiTM) session hijacking to steal... cyber security EngageSDK Vulnerability puts millions of crypto wallets at risk 0 A newly disclosed vulnerability in the widely used Android... CVE/vulnerability Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data 0 A high-severity flaw in GitHub Copilot Chat recently allowed... cyber security Fake BTS Tour Ticket Scams Target Fans Worldwide 0 Cybercriminals are exploiting the massive hype around BTS’s return... APT Iranian APT alert: 5,219 Rockwell PLCs exposed online 0 Censys has warned that more than 5,000 Rockwell Automation/Allen-Bradley... cyber security Middle East Espionage Attack Uses Fake Secure Messaging Apps to Deliver ProSpy 0 Hackers are impersonating popular secure messaging apps to deploy... Related Articles Google Locks Chrome Sessions to Devices to Stop Cookie Theft Chrome April 11, 2026 Claude and ChatGPT Exploited in Sweeping Cyber Campaign Against Government Agencies AI April 11, 2026 Storm-2755 Uses AiTM Hijacking to Divert Employee Salaries cyber security April 10, 2026 EngageSDK Vulnerability puts millions of crypto wallets at risk cyber security April 10, 2026 Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data CVE/vulnerability April 10, 2026 Recent News Google Locks Chrome Sessions to Devices to Stop Cookie Theft Divya - April 11, 2026 Claude and ChatGPT Exploited in Sweeping Cyber Campaign Against Government Agencies Divya - April 11, 2026 Storm-2755 Uses AiTM Hijacking to Divert Employee Salaries Mayura Kathir - April 10, 2026 EngageSDK Vulnerability puts millions of crypto wallets at risk Mayura Kathir - April 10, 2026 Hackers Exploit GitHub Copilot Flaw to Exfiltrate Sensitive Data Divya - April 10, 2026 Fake BTS Tour Ticket Scams Target Fans Worldwide Mayura Kathir - April 10, 2026