Active Attacks Exploit Critical Ivanti EPMM Zero-Day, Corporate Networks At Risk - cyberpress.org

Active Attacks Exploit Critical Ivanti EPMM Zero-Day, Corporate Networks At Risk By Varshini February 20, 2026 Categories: Cyber Security NewsVulnerabilitiesZero-day Two newly discovered zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are being actively exploited against organizations using Ivanti Endpoint Manager Mobile (EPMM), a widely deployed mobile device management (MDM) platform. Security researchers warn that attackers can remotely execute code on affected servers without authentication, user interaction, or stolen credentials. The flaws allow a remote attacker to take full control of the MDM infrastructure. Because EPMM manages corporate smartphones, tablets, applications, and access policies, a compromised server effectively gives attackers a pathway directly into an enterprise network. Researchers from Unit 42 reported that attackers are already using the vulnerabilities in real-world intrusions. Observed activity includes establishing reverse shells, deploying web shells, conducting reconnaissance, and downloading additional malware. Some attackers immediately install persistent backdoors designed to survive even after patches are applied. The campaign has impacted organizations across the United States, Germany, Australia, and Canada. Affected sectors include government agencies, healthcare providers, manufacturing firms, legal and professional services, and high-technology companies. Due to active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog, signaling an urgent patching requirement. How The Vulnerability Works CVE-2026-1281 carries a severity score of 9.8 and is a remote code execution vulnerability. The flaw exists in legacy bash scripts used by the Apache web server for URL rewriting. Attackers send specially crafted HTTP requests to EPMM endpoints and manipulate variables processed by the script. Through a technique known as bash arithmetic expansion, the system interprets attacker-controlled input as commands and executes them on the server. The second flaw, CVE-2026-1340, affects the Android file transfer feature and uses a similar mechanism in a different script. Both vulnerabilities can be triggered through specific URLs exposed to the internet. Attackers are using automated scanners to locate vulnerable servers. In many cases, they first send a harmless command, such as a short delay, to confirm exploitation. Once verified, they deploy payloads including web shells, cryptominers, and persistent access tools. Researchers also observed attempts to download monitoring agents and connect compromised servers to command-and-control infrastructure. Patching and Mitigation Ivanti released security updates in January 2026 and urged customers to install the appropriate RPM patch immediately. The company stated the update requires no downtime and does not affect functionality. Security teams are also advised to review systems for signs of compromise after patching, as attackers may already have established hidden access. More than 4,400 exposed EPMM instances have been observed on the internet, indicating a large potential attack surface. Experts recommend isolating management interfaces, restricting external access, monitoring logs for suspicious requests, and adopting an “assumed breach” mindset. According to Palo Alto Networks, the rapid weaponization of these vulnerabilities highlights a growing cybersecurity trend: attackers are integrating newly disclosed flaws into automated attack frameworks within hours. Organizations that delay patching internet-facing systems now face immediate and significant risk of network compromise. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles Vidar Malware Campaign Targets Login Credentials, Session Cookies, and Wallet Files Cyber Security News May 9, 2026 RansomHouse Claims Trellix Breach, Alleges Access to Source Code Repository Cyber Security News May 8, 2026 Researchers Warn Of PamDOORa Backdoor Attacking Linux Systems Cyber Security News May 8, 2026 New Modular RAT Steals Credentials and Captures Screenshots Cyber Security News May 8, 2026 Fake OpenClaw Installer Targets Password Managers and Crypto Wallets Cyber Security News May 8, 2026 Related Stories Cyber Security News Vidar Malware Campaign Targets Login Credentials, Session Cookies, and Wallet Files Divya - May 9, 2026 Cyber Security News RansomHouse Claims Trellix Breach, Alleges Access to Source Code Repository AnuPriya - May 8, 2026 Cyber Security News Researchers Warn Of PamDOORa Backdoor Attacking Linux Systems Varshini - May 8, 2026 Cyber Security News New Modular RAT Steals Credentials and Captures Screenshots Varshini - May 8, 2026 Cyber Security News Fake OpenClaw Installer Targets Password Managers and Crypto Wallets Varshini - May 8, 2026 Cyber Security News Age Verification System Fooled By Fake Moustache In Online Safety Test Varshini - May 8, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: