Ivanti has disclosed two vital vulnerabilities in Ivanti Endpoint Supervisor Cell (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that had been exploited in zero-day assaults.
The issues are code-injection vulnerabilities that permit distant attackers to execute arbitrary code on weak gadgets with out authentication. Each vulnerabilities have a CVSS rating of 9.8 and are rated as vital.
“We’re conscious of a very restricted variety of clients whose resolution has been exploited on the time of disclosure,” warns Ivanti.
Ivanti has launched RPM scripts to mitigate the vulnerabilities for affected EPMM variations:
- Use RPM 12.x.0.x for EPMM variations 12.5.0.x, 12.6.0.x, and 12.7.0.x
- Use RPM 12.x.1.x for EPMM variations 12.5.1.0 and 12.6.1.0
The corporate says there is no such thing as a downtime required to use the patches and that there is no such thing as a purposeful impression, so it’s strongly suggested to use them as quickly as doable.
Nevertheless, the corporate does warn that the hotfixes don’t survive a model improve and have to be reapplied if the equipment is upgraded earlier than a everlasting repair is on the market.
The vulnerabilities might be completely mounted in EPMM model 12.8.0.0, which might be launched later in Q1 2026.
Ivanti says profitable exploitation permits attackers to execute arbitrary code on the EPMM equipment, permitting attackers entry to a variety of data saved on the platform.
This data contains administrator and person names, usernames, and e mail addresses, in addition to details about managed cellular gadgets reminiscent of telephone numbers, IP addresses, put in purposes, and gadget identifiers like IMEI and MAC addresses.
If location monitoring is enabled, attackers may additionally entry gadget location knowledge, together with GPS coordinates and places of nearest cell towers.
Ivanti warns that attackers may additionally use the EPMM API or internet console to make configuration modifications to gadgets, together with authentication settings.
Actively exploited zero-days
Ivanti’s advisories state that each vulnerabilities had been exploited as zero-days, however the firm doesn’t have dependable indicators of compromise (IOC) as a result of small variety of recognized impacted clients.
Nevertheless, the corporate has printed technical steering on detecting exploitation and post-exploitation habits that admins can use.
Ivanti says each vulnerabilities are triggered via the In-Home Utility Distribution and Android File Switch Configuration options, with tried or profitable exploitation showing within the Apache entry log at /var/log/httpd/https-access_log.
To assist defenders determine suspicious exercise, Ivanti offered an everyday expression that can be utilized to search for exploitation exercise within the entry logs:
^(?!127.0.0.1:d+ .*$).*?/mifs/c/(aft|app)retailer/fob/.*?404The expression will record log entries that match exterior requests (not localhost site visitors) focusing on weak endpoints that return 404 HTTP response codes.
In keeping with Ivanti, official requests to those endpoints usually return an HTTP 200 response. Exploitation makes an attempt, whether or not profitable or tried, return 404 errors, making these entries a robust indicator {that a} gadget has been focused.
Nevertheless, Ivanti warns that after a tool is compromised, attackers can modify or delete logs to cover their exercise. If off-device logs can be found, these ought to be reviewed as a substitute.
If a tool is suspected of being compromised, Ivanti doesn’t advocate that admins clear the system.
As a substitute, clients ought to restore EPMM from a known-good backup taken earlier than exploitation occurred or rebuild the equipment and migrate knowledge to a substitute system.
After restoring programs, Ivanity suggests performing these actions:
Whereas the vulnerabilities have an effect on solely Ivanti Endpoint Supervisor Cell (EPMM), the corporate recommends reviewing Sentry logs as properly.
“Whereas EPMM might be restricted to a DMZ with little to no entry to the remainder of a company community, Sentry is particularly meant to tunnel particular varieties of site visitors from cellular gadgets to inner community property,” reads Ivanti’s evaluation steering for CVE-2026-1281 & CVE-2026-1340.
“If you observed that your EPMM equipment is impacted, we advocate you evaluate the programs that Sentry can entry for potential recon or lateral motion.”
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added CVE-2026-1281 to its Recognized Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited.
Federal civilian companies have been given till February 1, 2026, to use vendor mitigations or discontinue use of weak programs underneath Binding Operational Directive 22-01.
It’s unclear why CISA didn’t add each vulnerabilities to the KEV, and BleepingComputer contacted Ivanti to substantiate that each had been exploited.
In September, CISA printed an evaluation of malware kits deployed in assaults exploiting two different Ivanti Endpoint Supervisor Cell (EPMM) zero-days. These flaws had been mounted in Could 2025, however had been beforehand exploited in zero-day assaults as properly.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, safety groups are shifting quick to maintain these new companies protected.
This free cheat sheet outlines 7 finest practices you can begin utilizing at the moment.
