Pegasos24/7 Threat Labs Advisory

Executive Summary

CVE-2026-1281 and CVE-2026-1340, critical (CVSS 9.8) EPMM Zero-Day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) that have been actively exploited in zero-day attacks. The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated remote code execution and carry CVSS scores of 9.8, placing them among the most severe vulnerability classes.

One of the vulnerabilities has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, significantly increasing the urgency for remediation, particularly across U.S. federal environments.

These vulnerabilities enable attackers to compromise exposed EPMM appliances without valid credentials, potentially granting full control over systems that manage and store sensitive mobile device and enterprise configuration data.

The Vulnerability

CVE-2026-1281 and CVE-2026-1340 are code injection vulnerabilities within Ivanti EPMM that permit attackers to execute arbitrary commands remotely and without authentication. The issues stem from improper input handling in the In-House Application Distribution and Android File Transfer Configuration features of EPMM. Successful exploitation results in direct code execution on the appliance itself, creating a high-risk scenario given EPMM’s privileged role within enterprise environments.

The vulnerabilities affect multiple supported versions of Ivanti EPMM, including versions 12.5.x, 12.6.x, and 12.7.x. Ivanti has released RPM-based interim patches for affected versions; however, these patches do not persist through version upgrades and must be reapplied if the appliance is updated. A permanent fix is expected with the release of EPMM version 12.8.0.0, scheduled for later in Q1 2026.

The exploitation is trivial and doesn’t require credentials, making any internet-facing EPMM instance a high-priority target. The impact is severe, potentially leading to the compromise of an organization’s entire mobile device fleet and internal directory services.

Technical Details

• CVE-2026-1281 and CVE-2026-1340 allow attackers to exploit EPMM through HTTP GET requests containing malicious bash commands as parameters. The attack targets specific endpoints:

  • /mifs/c/aftstore/fob/ (Android File Transfer)

  • /mifs/c/appstore/fob/ (Application Store)

Affected Software and Version

• Ivanti Endpoint Manager Mobile vCenter Server 8.0 U1 —

  • 12.5.1.0 and prior 

  • 12.6.1.0 and prior 

  • 12.7.0.0 and prior 

Threat Intelligence

Threat Actors

Victimology & Targeting

• Enterprises and large companies in sectors like technology, finance, manufacturing, retail, and logistics use EPMM to enforce security policies, push apps, and manage thousands of iOS, Android, Windows, and macOS devices.

• Government and public sector bodies deploy Ivanti’s UEM/endpoint tools (including EPMM and related products) to secure employee devices and access to internal systems.

• Healthcare organizations use Ivanti endpoint management tools for securing clinical staff devices and accessing electronic records and mobile apps.

• Service providers and IT outsourcers use Ivanti EPMM and Neurons to manage customer device fleets as part of managed services offering.

  
  

MITRE ATT&CK Alignment

Exploitation Indicators & IOCs

Organizations should immediately search Apache access logs for exploitation attempts:

Primary Detection Pattern

• 404 responses to vulnerable endpoints from external IPs:

  • bash

  • grep -E '^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404' /var/log/httpd/https-access_log

Key Indicators

• Multiple 404 responses from the same source IP targeting EPMM endpoints

• GET requests with bash commands in URL parameters (curl, wget, nc, bash, sh)

• Unusual 200 responses to these endpoints if you don't use these features

• Suspicious source IPs from known malicious infrastructure

Post-Exploitation Indicators

• Unauthorized administrator accounts in EPMM

• Unexpected database queries against mifs_ldap_server_config, mifs_ldap_users, or mi_user tables

• Unusual file creation in /tmp/ directory

• Suspicious outbound connections from EPMM servers

Limitations on Atomic Indicators

• Due to the small number of known-impacted customers, Ivanti does not have enough information about the threat actor tactics to provide proven, reliable atomic indicators. This document will focus on more generic information about detecting attempted exploitation instead of reconnaissance or post-exploitation activities.

  
  

Threat Landscape and Observed Exploitation

• No other Ivanti products are affected by the exploited zero-day vulnerabilities, and the company has published generic information on detecting exploitation attempts.

• “Due to the small number of known-impacted customers, Ivanti does not have enough information about the threat actor tactics to provide proven, reliable atomic indicators,” the company notes. Based on the exploitation of previous EPMM bugs, Ivanti says, two common methods of persistence have surfaced: the deployment of web shell capabilities targeting HTTP error pages, and the deployment of reverse shells.

• Exploitation attempts using these techniques can be identified either through unexpected WAR or JAR files on the system, or through firewall log entries for outbound network connections initiated by the appliance. “Based on Ivanti’s analysis of threat actor toolkits targeting older vulnerabilities on the Ivanti appliance, analysts should assume that the threat actor techniques will likely include the clearing of logs or removal of specific log entries,” the company notes.

• Ivanti warns that, in addition to compromising the environment and accessing the sensitive information available on EPMM’s MIFS portal, attackers could make changes to the EPMM configuration to add new admin accounts, modify authentication policies, push new apps to devices, and modify network configurations.

• “Please note that this is general guidance and Ivanti has not observed or received any indication that such changes have been made to a customer’s EPMM appliance maliciously,” Ivanti notes.

  
  

Threat Hunting

• The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:⠀

  • ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Detection and Forensics

• Given the lack of detailed indicators, detection currently relies on log analysis and configuration review. Ivanti advises customers to inspect Apache access logs located at /var/log/httpd/https-access_log for suspicious requests targeting vulnerable endpoints. Requests that return HTTP 404 responses, rather than the expected 200 responses associated with legitimate use, may indicate attempted or successful exploitation. Ivanti has provided a regular expression to assist with identifying such entries and recommends correlating findings with timestamps and source IP addresses.

• Beyond log analysis, organizations are encouraged to review EPMM administrative accounts for unauthorized changes, examine authentication configurations such as LDAP and SSO, and scrutinize newly created or modified device policies and pushed applications. Unexpected network or VPN configuration changes distributed through EPMM should also be treated as potential indicators of compromise.

  
  

Mitigation and Response Actions

Apply EPMM patch now, upgrade later

1. Threat actors are often leveraging zero-day and known vulnerabilities in Ivanti EPMM.

2. All Ivanti customers with on-prem EPMM installations should install the provided patch (a RPM script) quickly, as it doesn’t require any downtime or negatively affect any feature.

3. If after applying the RPM script to an appliance, upgrading to a new version will require reinstallation of the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0.

4. All EPMM customers should adopt version 12.8.0.0 once it has been released later in Q1 2026. Once upgraded to 12.8.0.0, there is no need to reapply the RPM script.

5. If enterprise defenders find evidence that points to compromise, Ivanti advises either restoring the appliance from a “known good” backup or building a replacement EPMM and then migrating data to the device.

6. US federal civilian agencies have until February 1 to apply mitigations, CISA decided.

   
   

DTG Recommendations

Immediate Actions

• Apply security patches - Check Ivanti's advisory and patch immediately

• Search access logs - Use the regex above to identify exploitation attempts in SIEM/log aggregator

• Isolate unpatched systems - Remove from internet if patching cannot be done immediately

• Enable off box log forwarding - Configure real-time Apache log forwarding to SIEM

• Rotate credentials - Change all administrative passwords and service account credentials

Detection and Monitoring

• Implement automated monitoring for the detection regex pattern

• Deploy alerts for GET requests with bash commands in parameters

• Enable comprehensive logging with real-time off box forwarding

• Establish monitoring for EPMM platforms 24/7

• ·Verify log integrity monitoring to detect tampering

Risk Assessment

• Identify all EPMM deployments, including forgotten or shadow IT instances

• Determine which instances are internet-accessible

• Evaluate cloud integration and identify stored access tokens

• Review network segmentation and implement stricter controls

Response Planning

• Develop incident response procedures for EPMM compromise scenarios

• Establish communication channels for escalation

• Plan for complete server rebuild if compromise is detected

• Coordinate with Ivanti support for incident response assistance

  
  

Call to Action and References

Call to Action

DTG’s Incident Response and Threat Management teams continue tracking this activity across monitored customer environments. Clients using DTG Wirespeed or Pegasos platforms can request an immediate authentication telemetry review or targeted compromise assessment through standard DTG support channels.

Don’t wait for an attack - reach out to DTG today to ensure your organization is protected at 877-384-7722.

References

1. SOCRadar.io -- " CVE-2026-1281 & CVE-2026-1340: Ivanti EPMM Zero-Day Vulnerabilities Enable Unauthenticated RCE" https://socradar.io/blog/cve-2026-1281-1340-ivanti-epmm-0day-rce/

2. Abstract Security -- " Critical Ivanti EPMM Vulnerabilities: CVE-2026-1281 & CVE-2026-1340" https://www.abstract.security/blog/critical-ivanti-epmm-vulnerabilities-cve-2026-1281-cve-2026-1340

3. Security Week -- " Ivanti Patches Exploited EPMM Zero-Days" https://www.securityweek.com/ivanti-patches-exploited-epmm-zero-days/

4. Bleeping Computer -- " Ivanti warns of two EPMM flaws exploited in zero-day attacks" https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/

5. Ivanti -- " Analysis Guidance Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1281 & CVE-2026-1340" https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

6. Help Net Security -- " Ivanti provides temporary patches for actively exploited EPMM zero-day (CVE-2026-1281) https://www.helpnetsecurity.com/2026/01/30/ivanti-epmm-cve-2026-1281-cve-2026-1340/

7. runZero -- " How to find Ivanti Endpoint Manager Mobile (EPMM) instances on your network" https://www.runzero.com/blog/ivanti-epmm/

8. Integrity360 -- " Ivanti EPMM Zero-Day Vulnerabilities (CVE-2026-1281, CVE-2026-1340)“ https://insights.integrity360.com/threat-advisories/ivanti-epmm-zero-day-vulnerabilities-cve-2026-1281-cve-2026-1340

9. Rapid 7 -- "Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild (CVE-2026-1281 & CVE-2026-1340)” https://www.rapid7.com/blog/post/etr-critical-ivanti-endpoint-manager-mobile-epmm-zero-day-exploited-in-the-wild-eitw-cve-2026-1281-1340/

10. expel -- " Security alert: Critical unauthenticated RCE vulnerabilities in Ivanti EPMM)” https://expel.com/blog/security-alert-critical-unauthenticated-rce-vulnerabilities-in-ivanti-epmm/

11. Ivanti -- " Ivanti Endpoint Manager Mobile overview” https://help.ivanti.com/mi/help/en_US/core/11.x/gsg/CoreGettingStarted/Core_overview

12. Watchtowr -- " Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)” https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/

13. Tenable -- " CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited” https://www.tenable.com/blog/cve-2026-1281-cve-2026-1340-ivanti-endpoint-manager-mobile-epmm-zero-day-vulnerabilities

14. Ivanti -- " January 2026 EPMM Security Update” https://www.ivanti.com/blog/january-2026-epmm-security-update

15. The Hacker News -- " Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released” https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html

16. Cyber Press -- " Critical Ivanti Endpoint Manager Flaw Enables Remote Code Execution Attacks” https://cyberpress.org/ivanti-endpoint-manager-flaw/

17. NIST -- " CVE-2026-1281 Detail" https://nvd.nist.gov/vuln/detail/CVE-2026-1281

18. NIST -- " CVE-2026-1281 Detail" https://nvd.nist.gov/vuln/detail/CVE-2026-1281

19. NIST -- " CVE-2026-1340 Detail" https://nvd.nist.gov/vuln/detail/CVE-2026-1340

20. CVE Details -- " CVE-2026-1281" https://www.cvedetails.com/cve/CVE-2026-1281/

21. CVE Details -- " CVE-2026-1340" https://www.cvedetails.com/cve/CVE-2026-1340/

22. MITRE ATT&CK -- "Technique Reference" https://attack.mitre.org/