Ivanti provides temporary patches for actively exploited EPMM zero-day (CVE-2026-1281)

Ivanti has released provisional patches that fix two critical code injection vulnerabilities in Endpoint Manager Mobile (EPMM), one of which (CVE-2026-1281) has been exploited in zero-day attacks and has been added to CISA’s Known Exploited Vulnerabilities catalog.

Investigating potential compromise

Both CVE-2026-1281 and CVE-2026-1340 are code injection flaws affecting EPMM’s In-House Application Distribution and Android File Transfer Configuration features. They may allow unauthenticated attackers to achieve remote code execution (RCE) on vulnerable on-premises EPMM installations.

The vulnerabilities don’t affect the cloud-hosted Ivanti Neurons for Mobile Device Management (MDM), Ivanti Endpoint Manager (EPM), the Ivanti Sentry secure mobile gateway, or any other Ivanti products.

“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti stated in the security advisory released on Thursday, and said that they do not have enough information about the threat actor tactics “to provide proven, reliable atomic indicators [of compromise].”

But, they say that specific entries in the Apache HTTPD access log can point to successful exploitation of one or both vulnerabilities – if the attackers haven’t tampered with the appliance logs or if the appliance has been set to forward logs to a SIEM solution.

The company also advised organizations to look for web shells and reverse shells.

“Ivanti has commonly seen these changes target HTTP error pages, such as 401.jsp. Any requests to these pages with POST methods or with parameters should be considered highly suspicious. Analysts who are performing forensic inspection of the disk should also review for unexpected WAR or JAR files being introduced to the system,” the company explained.

The presence of reverse shells may be discovered by reviewing firewall logs for long-running connections initiated by the appliance.

Ivanti says that if attackers achieved RCE on affected EPMM appliances, they had access to potentially sensitive information about managed devices and the ability to make configuration and network changes.

“For any appliance that you suspect may be impacted, we would recommend you review: EPMM administrators for new or recently changed administrators; authentication configuration, including SSO and LDAP settings; new pushed applications for mobile devices; configuration changes to applications you push to devices, including in-house applications; new or recently modified policies; and network configuration changes, including any network configuration or VPN configuration you push to mobile devices,” Ivanti told customers, but confirmed that there is no evidence of attackers having made any of these changes.

Finally, the company noted that customers who use Ivanti Sentry in conjunction with EPMM (and thus EPMM that has access to and the ability to perform changes to Sentry), should check the systems accessible through Sentry for evidence of reconnaissance or lateral movement.

Apply EPMM patch now, upgrade later

Threat actors are often leveraging zero-day and known vulnerabilities in Ivanti EPMM.

All Ivanti customers with on-prem EPMM installations should install the provided patch (a RPM script) quickly, as it doesn’t require any downtime or negatively affect any feature.

“If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0,” the company stressed.

“We strongly encourage all EPMM customers to adopt version 12.8.0.0 once it has been released later in Q1 2026. Once you have upgraded to 12.8.0.0, you will not need to reapply the RPM script.”

If enterprise defenders find evidence that points to compromise, Ivanti advises either restoring the appliance from a “known good” backup, or building a replacement EPMM and then migrating data to the device.

US federal civilian agencies have until February 1 to apply mitigations, CISA decided.