Imagine waking up to the news that your organization’s mobile device management system has been silently compromised by not one, but two critical zero-day vulnerabilities. That’s the chilling reality for users of Ivanti Endpoint Manager Mobile (EPMM), as the company recently disclosed active exploitation of two high-severity flaws. But here’s where it gets even more alarming: one of these vulnerabilities has been officially flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as a Known Exploited Vulnerability (KEV), demanding immediate action from federal agencies. Let’s break down what’s happening and why it matters—even if you’re not an Ivanti user.
Ivanti has swiftly released security updates to patch CVE-2026-1281 and CVE-2026-1340, both of which allow unauthenticated remote code execution (RCE) with a staggering CVSS score of 9.8. In simpler terms, these flaws give attackers a backdoor to execute malicious code on affected systems without needing credentials. And this is the part most people miss: these vulnerabilities specifically target the In-House Application Distribution and Android File Transfer Configuration features, leaving other Ivanti products like Ivanti Neurons for MDM and Ivanti Endpoint Manager (EPM) untouched. But for EPMM users, the stakes couldn’t be higher.
The affected versions include EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, 12.7.0.0 and earlier (fixed in RPM 12.x.0.x), as well as EPMM 12.5.1.0 and earlier, 12.6.1.0 and earlier (fixed in RPM 12.x.1.x). Here’s the catch: the RPM patch is temporary and won’t survive a version upgrade, meaning it must be reapplied if you update your appliance. A permanent fix is slated for EPMM version 12.8.0.0, expected later in Q1 2026. But is waiting an option when active attacks are already underway?
Ivanti acknowledges that a small number of customers have been exploited, though details about the threat actors remain scarce. To detect potential compromises, the company recommends checking the Apache access log at /var/log/httpd/https-access_log for suspicious patterns using the regex: ^(?!127\.0\.0\.1:\d+.*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404. Legitimate activity will show HTTP 200 response codes, while exploitation attempts will trigger 404s. Controversially, some experts argue that relying solely on logs might not be enough, as sophisticated attackers could manipulate or erase their tracks.
Beyond logs, Ivanti urges administrators to scrutinize recent changes, including new administrators, authentication settings, push applications, policies, and network configurations. If signs of compromise are detected, the recommended steps are drastic but necessary: restore from a clean backup, rebuild the EPMM appliance, and migrate data. Afterward, reset all passwords, revoke and replace certificates, and secure service accounts.
CISA’s addition of CVE-2026-1281 to the KEV catalog underscores the urgency, mandating federal agencies to patch by February 1, 2026. But here’s a thought-provoking question: Are we doing enough to prevent such vulnerabilities from being exploited in the first place, or are we perpetually playing catch-up in the cybersecurity arms race? Share your thoughts in the comments—this is a conversation we all need to have.
Stay ahead of the curve by following us on Google News, Twitter, and LinkedIn for more exclusive insights like this.
