Ivanti Endpoint Manager Mobile (EPMM), a widely used mobile device management (MDM) solution, has two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that enable unauthenticated remote code execution via code injection attacks. Both vulnerabilities affect multiple versions of EPMM up to 12.7.0.0 and earlier, with permanent fixes planned for version 12.8.0.0. The flaws impact the In-House Application Distribution and Android File Transfer Configuration features, allowing attackers to execute arbitrary code on the EPMM appliance without authentication. Successful exploitation can lead to deployment of web shells or reverse shells, enabling persistent access and lateral movement within the managed environment. The appliance contains sensitive information about managed devices, increasing the risk of data exposure and further compromise. Ivanti has released patches that must be reapplied after version upgrades, complicating remediation. Indicators of exploitation include 404 HTTP response codes in Apache access logs for specific URL patterns and unauthorized changes to administrator accounts, authentication settings, pushed applications, policies, and network configurations. Ivanti recommends thorough log review, configuration audits, and, if compromise is detected, restoring from clean backups or rebuilding the appliance. Post-incident, resetting all relevant passwords and certificates is critical to prevent re-exploitation. The U.S. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog, underscoring the threat's severity and active exploitation status. This vulnerability poses a significant risk to organizations relying on Ivanti EPMM for mobile device management, especially those with large-scale deployments and sensitive data.

For European organizations, the exploitation of these vulnerabilities could lead to complete compromise of the EPMM appliance, granting attackers the ability to execute arbitrary code and gain persistent access. This jeopardizes the confidentiality and integrity of sensitive device management data, including device configurations, authentication credentials, and network policies. Attackers could leverage this foothold to move laterally within corporate networks, potentially accessing critical infrastructure and sensitive information. The disruption or manipulation of mobile device management could impair operational continuity, especially for organizations heavily reliant on mobile endpoints for business functions. Given the critical nature of these vulnerabilities and the active exploitation reported, European entities face heightened risk of data breaches, espionage, and operational disruption. The need for rapid patching and monitoring is paramount to prevent widespread impact. Additionally, the requirement to reapply patches after upgrades increases the risk of incomplete remediation, potentially leaving systems vulnerable. Organizations in sectors such as finance, healthcare, government, and telecommunications, which often use Ivanti EPMM for device management, are particularly at risk.

1. Immediately apply the latest Ivanti patches addressing CVE-2026-1281 and CVE-2026-1340, ensuring to reapply patches after any version upgrades until version 12.8.0.0 is deployed. 2. Monitor Apache access logs (/var/log/httpd/https-access_log) for 404 HTTP response codes matching the regex pattern ^(?!127\.0\.0\.1:\d+ .*$).*?/mifs/c/(aft|app)store/fob/.* to detect exploitation attempts. 3. Conduct thorough audits of EPMM configurations, including administrator accounts, authentication settings (SSO, LDAP), pushed applications, policies, and network/VPN configurations, to identify unauthorized changes. 4. In case of suspected compromise, restore the EPMM appliance from a known clean backup or rebuild the appliance and migrate data carefully. 5. Reset all local EPMM account passwords, LDAP/KDC service account credentials, and revoke and replace public certificates used by EPMM to prevent re-exploitation. 6. Implement network segmentation to limit EPMM appliance access and restrict administrative interfaces to trusted networks. 7. Enhance monitoring and alerting for unusual activities related to EPMM, including unexpected configuration changes or network connections. 8. Educate IT and security teams on the specific indicators of compromise and ensure incident response plans include steps for EPMM-related incidents. 9. Coordinate with Ivanti support for guidance on patch management and incident handling. 10. Review and harden mobile device management policies to minimize attack surface and exposure.