Organizations utilizing Ivanti Endpoint Manager Mobile (EPMM), a popular mobile device management (MDM) platform, are being actively targeted by two recently identified zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340. Attackers can remotely run code on compromised servers without user interaction, authentication, or credentials that have been stolen, according to security researchers. The vulnerabilities give a remote attacker complete command over the MDM system.

A compromised server essentially provides an attacker with a direct route into an enterprise network because EPMM controls corporate smartphones, tablets, apps, and access policies. Attackers are already utilizing the vulnerabilities in actual intrusions, according to Unit 42 researchers. Reverse shell creation, web shell deployment, reconnaissance, and malware downloads are among the activities that have been noticed.

Some attackers install persistent backdoors right away, which are made to remain operational even after patches are installed. Organizations in the US, Germany, Australia, and Canada have been impacted by the campaign. Governmental organizations, healthcare facilities, manufacturing companies, legal and professional services, and high-tech businesses are among the sectors that are impacted.

CVE-2026-1281 was added to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog due to active exploitation, indicating an urgent need for patching. How The Vulnerability Works CVE-2026-1281 is a remote code execution vulnerability with a severity score of 9.8. The vulnerability is in the old bash scripts that the Apache web server uses to rewrite URLs. Attackers alter variables that the script processes by sending specially constructed HTTP requests to EPMM endpoints.

The system interprets input controlled by the attacker as commands and runs them on the server using a technique called bash arithmetic expansion. The second bug, CVE-2026-1340, uses a similar mechanism in a different script and impacts the Android file transfer feature. Certain URLs that are exposed to the internet can cause both vulnerabilities.

Automated scanners are being used by attackers to find servers that are susceptible. To confirm exploitation, they frequently send a harmless command first, like a brief delay. After verification, they release payloads that include persistent access tools, web shells, and cryptominers. Additionally, attempts to download monitoring agents and link compromised servers to command-and-control infrastructure were noted by researchers.

Mitigation and Patching In January 2026, Ivanti issued security updates and advised users to apply the relevant RPM patch right away. According to the company, the update doesn't impact functionality and doesn't require any downtime. After patching, security teams are also encouraged to check systems for indications of compromise because hackers might have already gained covert access.

There is a significant potential attack surface, as evidenced by the more than 4,400 exposed EPMM instances that have been seen online. Experts advise limiting external access, isolating management interfaces, keeping an eye on logs for questionable requests, and embracing a "assumed breach" mentality. Palo Alto Networks claims that the quick weaponization of these vulnerabilities demonstrates a developing trend in cybersecurity: within hours, attackers are incorporating recently discovered vulnerabilities into automated attack frameworks.

Delays in patching internet-facing systems expose organizations to an immediate and serious risk of network compromise.