Comprehensive Threat Exposure Management Platform
Ivanti has issued emergency security updates addressing two critical code injection zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), a widely deployed enterprise mobile device management platform, after confirming active exploitation in the wild. Tracked as CVE-2026-1281 and CVE-2026-1340, these Ivanti EPMM vulnerabilities affect the In-House Application Distribution and Android File Transfer Configuration features, allowing unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises Ivanti EPMM appliances without requiring authentication or user interaction. While Ivanti reports only a limited number of customers were impacted by the Ivanti EPMM exploitation, the risk remains significant for all unpatched Ivanti EPMM deployments. Successful exploitation of these Ivanti EPMM vulnerabilities grants attackers unauthenticated remote code execution capabilities and enables use of compromised Ivanti EPMM servers as footholds for lateral movement, particularly in environments where Ivanti EPMM is integrated with Ivanti Sentry. Ivanti has clarified that cloud-hosted Ivanti Neurons for MDM and other Ivanti products are not affected by CVE-2026-1281 or CVE-2026-1340. Ivanti has released temporary RPM patches for immediate deployment, with permanent fixes planned for inclusion in Ivanti EPMM version 12.8.0.0 scheduled for release later in Q1 2026.
CVE-2026-1281 and CVE-2026-1340 are both classified as code injection vulnerabilities under CWE-94 (Improper Control of Generation of Code) affecting Ivanti Endpoint Manager Mobile infrastructure. These critical Ivanti EPMM security flaws reside within the In-House Application Distribution and Android File Transfer Configuration components of Ivanti Endpoint Manager Mobile platform. The root cause of these Ivanti EPMM vulnerabilities stems from insufficient input validation and improper handling of user-supplied data within these specific Ivanti EPMM features, allowing malicious input to be interpreted and executed as code on the underlying Ivanti EPMM system. This fundamental input validation failure in Ivanti EPMM enables attackers to inject arbitrary code that the Ivanti EPMM appliance will execute.
The exploitation mechanism for these Ivanti EPMM vulnerabilities enables unauthenticated remote attackers to inject and execute arbitrary code on vulnerable Ivanti EPMM appliances without requiring any prior authentication or user interaction. The scope of impact for the Ivanti EPMM vulnerabilities extends to Ivanti EPMM installations running versions 12.5.0.0 and prior, 12.5.1.0 and prior, 12.6.0.0 and prior, 12.6.1.0 and prior, and 12.7.0.0 and prior. The unauthenticated nature of these Ivanti EPMM vulnerabilities makes them particularly dangerous, as external attackers can target internet-exposed Ivanti EPMM appliances without needing any credentials or internal network access.
Ivanti has confirmed active exploitation of CVE-2026-1281 and CVE-2026-1340 in the wild, with evidence of attacks against Ivanti EPMM infrastructure occurring before public disclosure. Successful Ivanti EPMM exploitation attempts can be identified through analysis of the Apache HTTPD access log located at /var/log/httpd/https-access_log on Ivanti EPMM appliances, where legitimate use of Ivanti EPMM features produces 200 HTTP response codes while exploitation attempts result in 404 HTTP response codes targeting /mifs/c/aft store/fob/ and /mifs/c/app store/fob/ paths. Organizations running Ivanti EPMM are advised to monitor firewall logs for long-running connections initiated by the Ivanti EPMM appliance as potential indicators of reverse shell activity following successful exploitation of these Ivanti EPMM vulnerabilities.
All organizations with on-premises Ivanti EPMM installations must apply the provided RPM patch without delay to protect against CVE-2026-1281 and CVE-2026-1340 exploitation. The Ivanti EPMM patch does not require downtime and does not negatively affect any Ivanti EPMM features. This is a provisional fix that addresses the immediate Ivanti EPMM exploitation risk while a permanent solution is prepared for release in Ivanti EPMM version 12.8.0.0.
Ivanti has announced that the permanent fix for CVE-2026-1281 and CVE-2026-1340 will be included in Ivanti EPMM version 12.8.0.0, scheduled for release later in Q1 2026. Organizations must begin planning for this Ivanti EPMM upgrade immediately and adopt the new version once available to ensure comprehensive protection against these code injection vulnerabilities. The Ivanti EPMM 12.8.0.0 release will provide definitive mitigation eliminating the need for temporary RPM patches.
The temporary RPM patch for Ivanti EPMM does not survive version upgrades. If Ivanti EPMM appliances are upgraded to new versions before 12.8.0.0 is released, organizations must reinstall the RPM script on upgraded Ivanti EPMM appliances. Maintain comprehensive documentation of patch status across all Ivanti EPMM instances to ensure consistent protection against CVE-2026-1281 and CVE-2026-1340 exploitation.
Organizations must review Apache access logs at /var/log/httpd/https-access_log on all Ivanti EPMM appliances for signs of exploitation using provided detection patterns. Monitor specifically for 404 HTTP response codes to the /mifs/c/aft store/fob/ and /mifs/c/app store/fob/ paths, which indicate attempted or successful Ivanti EPMM exploitation. Ensure Ivanti EPMM logs are forwarded to SIEM solutions for centralized monitoring and correlation with other security events.
Examine Ivanti EPMM environments for unauthorized modifications indicating successful exploitation, including new or recently changed administrator accounts, alterations to authentication configurations such as SSO and LDAP settings, newly pushed applications for mobile devices, configuration changes to in-house applications in Ivanti EPMM, new or modified policies, and network configuration changes including VPN configurations pushed to mobile devices through compromised Ivanti EPMM infrastructure.
Ensure Ivanti EPMM appliances are properly segmented from critical network infrastructure to limit the impact of successful exploitation. Limit network access to Ivanti EPMM to only necessary systems and users, reducing the potential impact of successful CVE-2026-1281 or CVE-2026-1340 exploitation and limiting lateral movement opportunities from compromised Ivanti EPMM servers.
Get through updates and upcoming events, and more directly in your inbox