Ivanti has published security patches to correct two critical vulnerabilities that affect its mobile device management solution Ivanti Endpoint Manager Mobile (EPMM) and are already being used in zero-day attacks. Both failures, identified as CVE-2026-1281 and CVE-2026-1340, receive a very high score on the CVSS scale (9.8) and allow for the injection of code that could result in a remote unauthenticated execution on the affected application.
The company has reported that these weaknesses impact specific product functions, in particular the internal distribution of applications (In-House Application Distribution) and the file transfer configuration for Android (Android File Transfer Configuration), and has made it clear that other products of the Ivanti family - such as Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM) or Ivanti Sentry - are not affected by these failures. The official notice and technical guide are available at Ivanti forums where they explain the exploitation and mitigation scenarios: Ivanti's safety notice and detailed analysis with technical guidance.
Both vulnerabilities have been listed as being exploited in nature, and the US Infrastructure and Cybersecurity Agency. The United States (CISA) has added at least one of them - CVE-2026-1281 - to its catalogue of vulnerabilities known to be exploited (Known Exploited Vulnerabilities, KEV), which forces federal agencies to apply the corrections in very short time. The CISA notice incorporating the entry and the catalogue page can be found here: CISA alert and KEV catalogue.
From the technical point of view, the exploitation of these failures allows an attacker to inject code into the EPMM application and to obtain arbitrary execution without the need to be authenticated, which opens the door to compromise the infrastructure and to access sensitive information about the devices administered. Ivanti describes that, historically, successful attacks on previous EPMM variants have ended by introducing persistence through web shells or reverse shells, techniques that ensure long access to the compromised system.
The affected versions include branches of EPMM up to 12.5.x, 12.6.x and 12.7.x according to the published version matrix; for its part, the company indicates that the definitive correction will be permanently incorporated into the version 12.8.0.0 that it expects to launch in the course of the first quarter of 2026. As an immediate measure, Ivanti has distributed a patch in RPM format, but warns that this patch does not survive a version update: if the application is updated after applying the RPM, it will be necessary to reinstall it.
Ivanti also reports that it has detected a small number of customers who have been exploited at the time of disclosure, but that it does not yet have any atomic and verifiable commitment indicators that will allow the actor's activity to be reliably traced behind the attacks. This uncertainty is precisely why the company offers instructions for the search for evidence in the systems and for containment and recovery if an intrusion is confirmed.
To identify attempts or incursions, the operational recommendation goes on to review the Apache access log located in / var / log / httpd / https-access _ log looking for patterns in the petitions to the endpoints involved. Ivanti provides a regular expression that helps to detect applications that return 404 codes associated with abuse attempts on the routes / mifs / c / (aft-124; app) store / fob; under normal conditions legitimate calls must return 200, while failed attempts or farms often cause 404. Finding records that match that pattern, or anomalous responses, should lead to a deeper investigation.
In addition to monitoring web logs, Ivanti advises to review recent changes in the configuration itself: check new or modified administrators, check authentication settings such as SSO and LDAP, review push applications and their configuration, added or altered policies and any changes in network or VPN configuration that are deployed to mobile devices. If signs of commitment are identified, the firm recommendation is to restore application from a reliable backup or to rebuild a new instance and migrate data, and then rotate critical credentials and certificates.
In case of cleaning after an incident, the suggested containment actions include re-establishing EPMM local account passwords, changing the service credentials used for LDAP or KDC searches, revoking and replacing the application public certificate and updating any other service account linked to the environment. These measures seek to remove back doors and credentials that an attacker may have exfiltered or obtained during the intrusion.
For security managers and equipment, the immediate priority is to apply the official Ivanti patches when possible and to confirm that the correction is kept after any version update; if the temporary RPM is used, it must be reinstalled after each upgrade until the version 12.8.0.0 is deployed. Ivanti notes and updates can be consulted in your ad space: forum / Ivanti's notice.
The entry of CVE-2026-1281 in the KEV catalogue has accelerated the regulatory time limits for U.S. government agencies: federal agencies must have applied the corrections on the deadline set by CISA, which in this case called for rapid compliance. For teams outside the federal level, the practical recommendation is identical: prioritize the update, monitor evidence of suspicious activity and be prepared for incident responses that include restoration from reliable copies, reconstruction of applications and rotation of critical credentials.
In an environment where mobile management platforms concentrate access and sensitive data on an organization's devices, a vulnerability that allows remote execution without authentication is not a minor threat. Maintaining up-to-date systems, auditioning changes in settings, and having clear processes of recovery and rotation of credentials are measures that reduce risk and accelerate the response to an intrusion. For more information and technical steps, see Ivanti's communication and the CISA guide: analysis and guidance of Ivanti and CISA alert.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...