Unauthenticated RCE Flaws in Ivanti EPMM Under Active Exploitation

Published Date: January 30, 2026
Category: ShadowOpsIntel
Share:

Ivanti has released patches to address 2 zero-day flaws affecting Ivanti Endpoint Manager Mobile (EPMM) that allow unauthenticated remote code execution (RCE). These flaws pose a severe risk to organizations running vulnerable on-prem EPMM versions, as exploitation requires no authentication or user interaction. Ivanti has confirmed that active exploitation occurred in a limited number of customer environments at the time of disclosure, underscoring the urgency of remediation.

Severity: Critical

Vulnerability Details

  • CVE IDs: CVE-2026-1281, CVE-2026-1340
  • CWE: CWE-94 (Improper Control of Code Generation)
  • CVSS Score: 9.8
  • Description: According to Ivanti’s analysis, the vulnerabilities stem from insufficient input validation in the In-House Application Distribution and Android File Transfer Configuration features within EPMM. Improper handling of attacker-supplied parameters allows command and code injection, leading directly to remote code execution on the appliance.
  • Affected Products: Ivanti EPMM – v12.5.0.0 and prior, v12.6.0.0 and prior, v12.7.0.0 and prior, v12.5.1.0 and prior, v12.6.1.0 and prior

Exploitation

Ivanti confirmed that real-world exploitation occurred in a limited number of customer environments at the time of disclosure. Successful exploitation grants attackers full command execution on the EPMM appliance, enabling:

  • Persistent access via web shells or reverse shells
  • Access to sensitive administrative and mobile device data
  • Configuration tampering via API or web console
  • Potential lateral movement through connected Ivanti Sentry infrastructure

Indicators Of Exploitation

  1. Review Apache Access Logs. Successful or attempted exploitation will have 404 HTTP response codes. GET requests containing bash commands or command-like parameters.
  2. POST requests to HTTP error pages (e.g., 401.jsp)
  3. Unexpected WAR or JAR files on disk
  4. Outbound network connections initiated by the EPMM appliance (unusual behavior)

Ivanti recommends using off-box SIEM logs, as on-device logs may be modified or deleted post-compromise.

Recommendations

  1. Apply version-specific RPM patches provided by Ivanti:
    • RPM 12.x.0.x for 12.5.0.x–12.7.0.x
    • RPM 12.x.1.x for 12.5.1.0–12.6.1.0
  2. Ensure EPMM is not directly internet-exposed where possible.
  3. Enable off-box logging to a SIEM.
  4. Monitor firewall logs for abnormal outbound connections.
  5. Ivanti strongly encourages all EPMM customers to adopt version 12.8.0.0 once it has been released later in Q1 2026.

Source:

  • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
  • https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Contact Us