Ivanti has announced patches for two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, identified as CVE-2026-1281 and CVE-2026-1340. These vulnerabilities are rated with a near-maximum CVSS score of 9.8 and allow for unauthenticated remote code execution (RCE), posing significant risks to affected systems.
Current Exploitation Status
According to Ivanti, there are reports of a very limited number of customers whose systems have been exploited at the time of disclosure. The company emphasizes that these vulnerabilities do not affect other Ivanti products, including cloud solutions like Ivanti Neurons for MDM, nor does it impact Ivanti Endpoint Manager (EPM).
Potential Impact of the Vulnerabilities
The RCE vulnerabilities could allow attackers to execute malicious code remotely, leading to various security threats such as lateral movement within the network, configuration changes, and unauthorized administrative access. Ivanti has indicated that compromised systems may expose sensitive data, including personal information about the EPMM administrator and device users, as well as details about mobile devices, such as phone numbers and GPS locations.
Indicators of Compromise and Detection
Ivanti has not provided specific indicators of compromise (IOCs) due to the limited number of affected customers. However, the company has shared a technical analysis page that outlines general detection methods. Threat hunters are advised to examine the Apache access log, particularly focusing on the In-House Application Distribution and Android File Transfer Configuration features. Legitimate traffic typically results in 200 HTTP response codes, while potential exploit activity may generate 404 errors.
Recommended Actions for Affected Customers
Organizations that suspect they may have been compromised are advised to restore their systems from backups rather than attempting to clean the affected systems. If restoring from backups is not feasible, Ivanti recommends building a replacement EPMM device and migrating data to it. The urgency of these actions is underscored by experts, who warn that organizations exposing vulnerable instances to the internet must consider themselves compromised and initiate incident response procedures.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
