January blues return as Ivanti coughs up exploited EPMM zero-days

Consider yourselves compromised, experts warn

by · The Register

Ivanti has patched two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product that are already being exploited, continuing a grim run of January security incidents for enterprise IT vendors.

In January 2025, tens of thousands were urged to patch a Fortinet zero-day, while Ivanti customers were doing the same. There has been little change this year as Fortinet patches multiple single sign-on (SSO) flaws and Ivanti ships fixes for yet another pair of zero-days.

Tracked as CVE-2026-1281 and CVE-2026-1340, both bugs affect Ivanti Endpoint Manager Mobile (EPMM). They're also both rated a near-maximum CVSS score of 9.8 and allow for unauthenticated remote code execution (RCE) – about as bad as it gets.

The security shop said in its advisory: "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

"This vulnerability does not impact any other Ivanti products, including any cloud products, such as Ivanti Neurons for MDM. Ivanti Endpoint Manager (EPM) is a different product and also not impacted by these vulnerabilities. Customers using an Ivanti cloud product with Sentry are also not impacted by this vulnerability."

These kinds of RCE bugs can lead to all sorts of nastiness. Lateral movement across a given organization's network, config changes, and attackers making themselves admin are all possible. The vendor warned that it could grant access to certain data too.

Ivanti said that the types of information available could include basic personal information about the EPMM admin and device user, as well as information about mobile devices such as phone numbers and GPS locations.

Those looking for indicators of compromise (IOCs) are out of luck. Ivanti doesn't have any reliable ones due to the small number of impacted customers it knows about.

It does, however, have a technical analysis page, which includes more general information about how to detect potential exploits.

The Apache access log is a good place to start for threat hunters. Specifically, they should be looking at the In-House Application Distribution and the Android File Transfer Configuration features. Legitimate traffic leads to 200 HTTP response codes while potential exploit activity may result in 404s.

"We recommend reviewing these and any other GET requests with parameters that have bash commands," Ivanti said.

This is not the first time in recent memory that EPMM has been hit by RCE bugs, and previous analyses have shown attackers tend to use two common methods of persistence. More often than not, it's introducing or modifying web shells, typically targeting error pages such as 401.jsp, the vendor said.

"Any requests to these pages with POST methods or with parameters should be considered highly suspicious."

Ivanti also advised defenders to look out for unexpected WAR or JAR files being introduced to the system, as it could be a sign of attackers deploying reverse shell connections.

EPMM also does not usually make outbound network connections, so any signs of this in the firewall logs should be treated as a sign to investigate.

If a customer does find signs of compromise, Ivanti said it's best to just restore from backups – don't bother trying to clean the system – and then upgrade to the latest relevant version.

Alternatively, if going down the backup route isn't an option, Ivanti suggests building a replacement EPMM device and migrating data onto it.

Benjamin Harris, CEO at watchTowr, said that a "wide range" of its customers who have EPMM running belong to high-value industries, warning others to act fast.

He said: "We knew January seemed too calm. Ivanti's EPMM solution, the center point of previous zero-day sagas, is once again receiving in-the-wild exploitation by seemingly capable and well-resourced threat actors.

"CVE-2026-1281 and CVE-2026-1340 – unauthenticated RCE vulnerabilities within Ivanti's Endpoint Manager Mobile (EPMM) – represent the worst of the worst, with threat actors actively compromising systems and deploying backdoors.

"While patches are available from Ivanti, applying patches will not be enough. Threat actors have been exploiting these vulnerabilities as zero-days, and organizations that are, as of disclosure, exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure, and instigate incident response processes." ®

Ivanti EPMM holes let miscreants plant shady listeners, CISA says: Unnamed org compromised with two malware setsJessica Lyons, 19 Sep 2025Ivanti makes dedicated fans of Chinese spies who just can't resist attacking its buggy kit: If it ain't broke?Jessica Lyons, 23 May 2025'Ongoing' Ivanti hijack bug exploitation reaches clouds: Nothing like insecure code in security suitesJessica Lyons, 21 May 2025Ivanti patches two zero-days under active attack as intel agency warns customers: Vendor says vulns are linked with 2 mystery open source libraries integrated into EPMM productConnor Jones, 14 May 2025