Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in The Wild Targeting Corporate Networks

Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have emerged as a major threat to enterprise networks, with active exploitation campaigns targeting corporate infrastructure across multiple countries.

The vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, enable unauthenticated attackers to execute arbitrary code remotely on target servers without requiring any user interaction or credentials.

These flaws have already affected organizations in the United States, Germany, Australia and Canada, particularly impacting sectors such as state and local government, healthcare, manufacturing, professional services and high technology.

The attack grants threat actors complete control over mobile device management infrastructure, allowing them to establish reverse shells, install web shells, conduct reconnaissance and download malicious software.

Unit 42 has documented widespread automated exploitation attempts since the vulnerabilities were disclosed in January 2026.

The U.S. Cybersecurity and Infrastructure Security Agency quickly added CVE-2026-1281 to its Known Exploited Vulnerabilities Catalog due to the severity and active exploitation.

Palo Alto Networks researchers identified over 4,400 EPMM instances exposed on the internet through their Cortex Xpanse telemetry system.

The analysts noted that threat actors are rapidly accelerating their operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply security patches.

This demonstrates how attackers are adapting their strategies to ensure persistent access to compromised networks.

Both vulnerabilities stem from unsafe bash script usage in legacy components that handle URL rewriting within the Apache web server configuration.

The CVE-2026-1281 affects scripts used for the In-House Application Distribution feature, while CVE-2026-1340 impacts the Android File Transfer mechanism.

Attack Methods and Malicious Activity

During exploitation attempts, attackers have deployed multiple types of malware and tools to compromise vulnerable systems.

Security researchers observed the installation of lightweight JSP web shells with names like 401.jsp, 403.jsp and 1.jsp placed in the server’s web application directory.

When successful, these shells grant administrative control if the web server runs with elevated privileges. Figure 1 shows command formats targeting vulnerable servers, while Figure 2 displays URL patterns from exploitation attempts.

Threat actors also attempted to download the Nezha monitoring agent, an open-source server utility, with specific parameters to target victims in China by fetching from Gitee repositories.

Some campaigns involved downloading second-stage payloads that install cryptominers or persistent backdoors on compromised appliances.

Additionally, attackers used sleep commands as a reconnaissance method to determine server vulnerability. Figure 5 shows reconnaissance attempts, and Figure 6 displays a decoded JSP web shell.

Ivanti released version-specific patches (RPM 12.x.0.x or RPM 12.x.1.x) that require no downtime and take only seconds to apply.

Organizations should immediately patch vulnerable systems and review appliances for signs of exploitation that may have occurred before patching.

The company also provided an Exploitation Detection script developed with NCSC-NL to help customers identify potential compromises.

Unit 42 recommends organizations adopt an assumed breach mentality and treat any detection of indicators as potential compromise with deeper persistence.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.