{"id":6781,"date":"2026-01-30T22:06:06","date_gmt":"2026-01-30T22:06:06","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6781"},"modified":"2026-01-30T22:06:06","modified_gmt":"2026-01-30T22:06:06","slug":"ivanti-patches-two-actively-exploited-critical-vulnerabilities-in-epmm","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6781","title":{"rendered":"Ivanti patches two actively exploited critical vulnerabilities in EPMM"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>IT software company Ivanti released patches for its Endpoint Manager Mobile (EPMM) product to fix two new remote code execution vulnerabilities already under attack in the wild.<\/p>\n<p>\u201cWe are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,\u201d the company said in <a href=\"https:\/\/forums.ivanti.com\/s\/article\/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US\">a security advisory<\/a> that identifies the new flaws as CVE-2026-1281 and CVE-2026-1340.<\/p>\n<p>Both issues are described by Ivanti as code injection issues that can be exploited without authentication and are rated 9.8 out of 10 on the CVSS severity scale. The flaws involve EPMM\u2019s In-House Application Distribution and Android File Transfer Configuration features.<\/p>\n<h2 class=\"wp-block-heading\">Stand-alone patches and exploit details available<\/h2>\n<p>Ivanti has not released new fully patched versions of EPMM, but rather version-specific stand-alone patches that need to be applied manually. The patches are packaged as rpm files and can be installed with the install rpm url [patch_url] command.<\/p>\n<p>The RPM_12.x.0.x patch is applicable to EPMM software versions 12.5.0.x, 12.6.0.x, and 12.7.0.x. It is also compatible with the older 12.3.0.x and 12.4.0.x versions. Meanwhile the RPM_12.x.1.x patch is applicable to versions 12.5.1.0 and 12.6.1.0.<\/p>\n<p>\u201cThe RPM script does not survive a version upgrade,\u201d the company warns. \u201cIf after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0.\u201d<\/p>\n<p>While the Ivanti Sentry gateway product that secures traffic between mobile devices and back-end enterprise systems is not directly affected by these vulnerabilities, EPMM appliances do have command execution permission on Sentry gateways. As such, if an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well.<\/p>\n<p>Researchers from penetration testing firm WatchTowr reverse engineered the patches and were able to figure out where the vulnerabilities are located and how to exploit them. A <a href=\"https:\/\/labs.watchtowr.com\/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340\/\">detailed write-up<\/a> is available on the company\u2019s blog.<\/p>\n<h2 class=\"wp-block-heading\">Exploit detection and remediation<\/h2>\n<p>Ivanti published <a href=\"https:\/\/forums.ivanti.com\/s\/article\/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US\">a separate document<\/a> with guidance on how to scan EPMM appliances for potential compromise through these vulnerabilities. First off, the Apache Access Log found at \/var\/log\/httpd\/https-access_log could have evidence of attempted or successful execution of these vulnerabilities.<\/p>\n<p>The company advises triaging logs with the ^(?!127.0.0.1:d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404 regular expression and looking for HTTP 404 error response codes as well as GET requests with parameters that have bash commands.<\/p>\n<p>\u201cThe most common is the introduction of, or modification of, malicious files to introduce web shell capabilities,\u201d the company said. \u201cIvanti has commonly seen these changes target HTTP error pages, such as 401.jsp. Any requests to these pages with POST methods or with parameters should be considered highly suspicious. Analysts who are performing forensic inspection of the disk should also review for unexpected WAR or JAR files being introduced to the system.\u201d<\/p>\n<p>One thing to note is that attackers regularly delete logs to hide their tracks and that on systems with high utilization the logs might be rotated multiple times a day. That\u2019s why customers are strongly advised to use the Data Export features to forward logs from the EPMM appliance to their SIEM system or other log aggregators.<\/p>\n<p>For any appliance that you suspect may be impacted, Ivanti recommends reviewing:<\/p>\n<p>EPMM administrators for new or recently changed administrators<\/p>\n<p>Authentication configuration, including SSO and LDAP settings<\/p>\n<p>New pushed applications for mobile devices<\/p>\n<p>Configuration changes to applications you push to devices, including in-house applications<\/p>\n<p>New or recently modified policies<\/p>\n<p>Network configuration changes, including any network configuration or VPN configuration you push to mobile devices<\/p>\n<p>After restoring a compromised EPMM appliance from clean backups, customers should reset the password of any local EPMM accounts, reset the password of any LDAP and\/or KDC service accounts used to perform lookups, revoke and replace the public certificate used on the EPMM deployment and reset the password for any other internal or external service accounts configured on the EPMM solution.<\/p>\n<p>Because EPMM has command execution on Sentry and Sentry is a product that routes traffic from mobile devices to internal network systems, the systems that Sentry can access should also be reviewed for signs of compromise.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>IT software company Ivanti released patches for its Endpoint Manager Mobile (EPMM) product to fix two new remote code execution vulnerabilities already under attack in the wild. \u201cWe are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,\u201d the company said in a security advisory that [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6782,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6781","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6781"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6781"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6781\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6782"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}