Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released - The Hacker News

Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released Ravie LakshmananJan 30, 2026Vulnerability / Enterprise Security Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog. The critical-severity vulnerabilities are listed below - CVE-2026-1281 (CVSS score: 9.8) - A code injection allowing attackers to achieve unauthenticated remote code execution CVE-2026-1340 (CVSS score: 9.8) - A code injection allowing attackers to achieve unauthenticated remote code execution They affect the following versions - EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x) EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x) However, it bears noting that the RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities will be permanently addressed in EPMM version 12.8.0.0, which will be released later in Q1 2026. "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide "reliable atomic indicators." The company noted that CVE-2026-1281 and CVE-2026-1340 affect the In-House Application Distribution and the Android File Transfer Configuration features. These shortcomings do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry. In a technical analysis, Ivanti said it has typically seen two forms of persistence based on prior attacks targeting older vulnerabilities in EPMM. This includes deploying web shells and reverse shells for setting up persistence on the compromised appliances. "Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance," Ivanti noted. "Aside from lateral movement to the connected environment, EPMM also contains sensitive information about devices managed by the appliance." Users are advised to check the Apache access log at "/var/log/httpd/https-access_log" to look for signs of attempted or successful exploitation using the below regular expression (regex) pattern - ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404 "Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache access log, whereas successful or attempted exploitation will cause 404 HTTP response codes," it explained. In addition, customers are being asked to review the following to look for any evidence of unauthorized configuration changes - EPMM administrators for new or recently changed administrators  Authentication configuration, including SSO and LDAP settings New push applications for mobile devices Configuration changes to applications you push to devices, including in-house applications New or recently modified policies Network configuration changes, including any network configuration or VPN configuration you push to mobile devices In the event signs of compromise are detected, Ivanti is also urging users to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. Once the steps are performed, it's essential to make the following changes to secure the environment - Reset the password of any local EPMM accounts Reset the password for the LDAP and/or KDC service accounts that perform lookups Revoke and replace the public certificate used for your EPMM Reset the password for any other internal or external service accounts configured with the EPMM solution The development has prompted CISA to add CVE-2026-1281 to the KEV catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the updates by February 1, 2026. Update In a report published January 30, 2026, researchers from watchTowr Labs said they reverse-engineered the patches, noting that the RPM fixes modify the Apache HTTPd config to replace two Bash shell scripts ("/mi/bin/map-appstore-url" and "/mi/bin/map-aft-store-url") with newly introduced Java classes. As a result, the cybersecurity company said, the vulnerability must be exploitable through HTTP, ultimately leading to a specially crafted HTTP GET request that could be used to pull it off - GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713, h=gPath%5B%60sleep%205%60%5D/e2327851-1e09-4463-9b5a-b524bc71fc07.ipa This stems from the fact that the Bash script "/mi/bin/map-appstore-url" allows users to fetch mobile applications from the Ivanti EPMM-approved application store based on certain parameters, including - The index of a salt string from "/mi/files/appstore-salt.txt" (kid) Start time of the download operation (st) End time of the download operation (et) SHA256 hash (h), and The app store file to retrieve ("e2327851-1e09-4463-9b5a-b524bc71fc07") In other words, sending an HTTP request to the endpoint "/mifs/c/appstore/fob/3/<int>/sha256:<something1>/<something2>.ipa" will cause Apache to execute the Bash script with the input: "<something1>_<int>_<something2>_.ipa_<HostHeader>_<EndpointPath>" "While patches are available from Ivanti, applying patches will not be enough – threat actors have been exploiting these vulnerabilities as zero-days, and organizations that are as of disclosure exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes," watchTowr CEO Benjamin Harris said. Rapid7, in an analysis of the flaws, said successful exploitation could allow an attacker to compromise the EPMM server, and access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, phone numbers, GPS information, and other sensitive unique identification information. In addition, the privileged position that the attacker has with the EPMM device means it may further allow for lateral movement within the compromised network, it added. "In just 24 hours, our Ivanti EPMM honeypot recorded hundreds of inbound traffic connections from more than 130 unique IP addresses, with 58% directly attempting exploitation of the latest Ivanti EPMM vulnerabilities," Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told The Hacker News on February 7, 2026. "The dominant payloads weren't 'research scans', they were built to gain control fast through reverse shells over port 443, webshell deployment attempts, and automated droppers." (The story was updated after publication on February 8, 2026, to reflect the latest developments.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cybersecurity, enterprise security, Ivanti, remote code execution, Vulnerability, zero-day Trending News ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Load More ▼ Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps