Ivanti has rolled out security updates to handle two security flaws impacting Ivanti Endpoint Supervisor Cell (EPMM) which were exploited in zero-day assaults, one in all which has been added by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to its Identified Exploited Vulnerabilities (KEV) catalog.
The critical-severity vulnerabilities are listed under –
- CVE-2026-1281 (CVSS rating: 9.8) – A code injection permitting attackers to realize unauthenticated distant code execution
- CVE-2026-1340 (CVSS rating: 9.8) – A code injection permitting attackers to realize unauthenticated distant code execution
They have an effect on the next variations –
- EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Mounted in RPM 12.x.0.x)
- EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Mounted in RPM 12.x.1.x)
Nevertheless, it bears noting that the RPM patch doesn’t survive a model improve and should be reapplied if the equipment is upgraded to a brand new model. The vulnerabilities shall be completely addressed in EPMM model 12.8.0.0, which shall be launched later in Q1 2026.
“We’re conscious of a really restricted variety of clients whose answer has been exploited on the time of disclosure,” Ivanti stated in an advisory, including it doesn’t have sufficient details about the risk actor ways to supply confirmed, dependable atomic indicators.”
The corporate famous that CVE-2026-1281 and CVE-2026-1340 have an effect on the In-Home Utility Distribution and the Android File Switch Configuration options. These shortcomings don’t have an effect on different merchandise, together with Ivanti Neurons for MDM, Ivanti Endpoint Supervisor (EPM), or Ivanti Sentry.
In a technical evaluation, Ivanti stated it has sometimes seen two types of persistence primarily based on prior assaults focusing on older vulnerabilities in EPMM. This consists of deploying internet shells and reverse shells for organising persistence on the compromised home equipment.
“Profitable exploitation of the EPMM equipment will allow arbitrary code execution on the equipment,” Ivanti famous. “Apart from lateral motion to the related setting, EPMM additionally accommodates delicate details about units managed by the equipment.”
Customers are suggested to examine the Apache entry log at “/var/log/httpd/https-access_log” to search for indicators of tried or profitable exploitation utilizing the under common expression (regex) sample –
^(?!127.0.0.1:d+
.*$).*?/mifs/c/(aft|app)retailer/fob/.*?404
“Professional use of those capabilities will end in 200 HTTP response codes within the Apache Entry Log, whereas profitable or tried exploitation will trigger 404 HTTP response codes,” it defined.
As well as, clients are being requested to evaluate the next to search for any proof of unauthorized configuration modifications –
- EPMM directors for brand spanking new or just lately modified directors
- Authentication configuration, together with SSO and LDAP settings
- New push purposes for cellular units
- Configuration modifications to purposes you push to units, together with in-house purposes
- New or just lately modified insurance policies
- Community configuration modifications, together with any community configuration or VPN configuration you push to cellular units
Within the occasion indicators of compromise are detected, Ivanti can be urging customers to revive the EPMM system from a recognized good backup or construct a alternative EPMM after which migrate knowledge to the system. As soon as the steps are carried out, it is important to make the next modifications to safe the setting –
- Reset the password of any native EPMM accounts
- Reset the password for the LDAP and/or KDC service accounts that carry out lookups
- Revoke and substitute the general public certificates used to your EPMM
- Reset the password for another inner or exterior service accounts configured with the EPMM answer
The event has prompted CISA so as to add CVE-2026-1281 to the KEV catalog, requiring Federal Civilian Government Department (FCEB) businesses to use the updates by February 1, 2026.
