Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in The Wild Targeting Corporate Networks - CyberSecurityNews

Home Cyber Security News Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in The Wild Targeting Corporate Networks Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have emerged as a major threat to enterprise networks, with active exploitation campaigns targeting corporate infrastructure across multiple countries. The vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, enable unauthenticated attackers to execute arbitrary code remotely on target servers without requiring any user interaction or credentials. These flaws have already affected organizations in the United States, Germany, Australia and Canada, particularly impacting sectors such as state and local government, healthcare, manufacturing, professional services and high technology. The attack grants threat actors complete control over mobile device management infrastructure, allowing them to establish reverse shells, install web shells, conduct reconnaissance and download malicious software. Unit 42 has documented widespread automated exploitation attempts since the vulnerabilities were disclosed in January 2026. The U.S. Cybersecurity and Infrastructure Security Agency quickly added CVE-2026-1281 to its Known Exploited Vulnerabilities Catalog due to the severity and active exploitation. Palo Alto Networks researchers identified over 4,400 EPMM instances exposed on the internet through their Cortex Xpanse telemetry system. The analysts noted that threat actors are rapidly accelerating their operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply security patches. This demonstrates how attackers are adapting their strategies to ensure persistent access to compromised networks. Both vulnerabilities stem from unsafe bash script usage in legacy components that handle URL rewriting within the Apache web server configuration. The CVE-2026-1281 affects scripts used for the In-House Application Distribution feature, while CVE-2026-1340 impacts the Android File Transfer mechanism. Attack Methods and Malicious Activity During exploitation attempts, attackers have deployed multiple types of malware and tools to compromise vulnerable systems. Security researchers observed the installation of lightweight JSP web shells with names like 401.jsp, 403.jsp and 1.jsp placed in the server’s web application directory. Format of command targeting vulnerable Ivanti EPMM servers (Source – Palo Alto Networks) When successful, these shells grant administrative control if the web server runs with elevated privileges. Figure 1 shows command formats targeting vulnerable servers, while Figure 2 displays URL patterns from exploitation attempts. URL and commands from an exploitation attempt (Source – Palo Alto Networks) Threat actors also attempted to download the Nezha monitoring agent, an open-source server utility, with specific parameters to target victims in China by fetching from Gitee repositories. Some campaigns involved downloading second-stage payloads that install cryptominers or persistent backdoors on compromised appliances. Additionally, attackers used sleep commands as a reconnaissance method to determine server vulnerability. Figure 5 shows reconnaissance attempts, and Figure 6 displays a decoded JSP web shell. Ivanti released version-specific patches (RPM 12.x.0.x or RPM 12.x.1.x) that require no downtime and take only seconds to apply. Organizations should immediately patch vulnerable systems and review appliances for signs of exploitation that may have occurred before patching. The company also provided an Exploitation Detection script developed with NCSC-NL to help customers identify potential compromises. Unit 42 recommends organizations adopt an assumed breach mentality and treat any detection of indicators as potential compromise with deeper persistence. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Iranian Cyber Ops Maintain US Network Footholds, Target Cameras for Regional Surveillance Cyber Security News Google Warns Ransomware Actors Are Shifting Tactics as Profits Fall and Data Theft Rises Cyber Security News Glassworm Hits Popular React Native Packages With Credential-Stealing npm Malware Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026