Unauthenticated Remote Code Execution in Ivanti EPMM: CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8)
Estimated reading time: 6 minutes
Key Takeaways:
- Critical Severity: Two vulnerabilities (CVE-2026-1281 and CVE-2026-1340) with a 9.8 CVSS score allow unauthenticated RCE.
- Active Exploitation: These flaws are currently being used as zero-day attacks in the wild.
- High Impact: Attackers can gain full system-level access to Mobile Device Management (MDM) hubs, compromising mobile fleets.
- Immediate Action Required: Ivanti has released RPM mitigation scripts that must be applied to all vulnerable versions (12.5.x – 12.7.x).
Table of Contents:
- Technical Analysis of CVE-2026-1281 and CVE-2026-1340
- Indicators of Compromise and Detection
- Data at Risk and Post-Exploitation Activity
- Impact on Supply-Chain and Brand Security
- Mitigation and Remediation Strategies
- Practical Takeaways for Technical Teams
- Practical Takeaways for Business Leaders
- PurpleOps Expertise and Integration
- Frequently Asked Questions
Ivanti recently disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, formerly known as MobileIron Core. These flaws, identified as CVE-2026-1281 and CVE-2026-1340, are currently undergoing active exploitation in the wild as zero-day attacks. Both vulnerabilities carry a CVSS score of 9.8, indicating a critical severity level due to the potential for unauthenticated remote code execution (RCE).
Technical Analysis of CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8)
The vulnerabilities residing in Ivanti EPMM are categorized as code-injection flaws. They allow an external, unauthenticated actor to execute arbitrary code on the affected appliance. Because the exploitation occurs before authentication, an attacker does not require valid credentials or internal network positioning to compromise the system. The primary attack vectors involve specific features within the EPMM architecture: the In-House Application Distribution and the Android File Transfer Configuration.
In these attacks, the adversary sends specially crafted requests to the vulnerable endpoints. If successful, the code injection allows for full system-level access to the EPMM appliance. Given that EPMM serves as a central hub for Mobile Device Management (MDM), a compromise at this level provides the attacker with extensive control over the entire mobile fleet of an organization.
Research indicates that these flaws are being utilized by a limited number of threat actors to gain initial access to corporate environments. Data gathered from a cyber threat intelligence platform suggests that mobile infrastructure is increasingly targeted as a gateway for lateral movement into broader internal networks.
Indicators of Compromise and Detection
Ivanti has noted that while the number of confirmed impacted customers is small, the lack of reliable indicators of compromise (IOCs) makes detection difficult. However, engineers can identify attempted or successful exploitation by reviewing Apache access logs located at /var/log/httpd/https-access_log.
The vulnerabilities are triggered through the aftstore and appstore features. Technical analysis of the exploitation attempts shows that malicious requests often result in HTTP 404 response codes, whereas legitimate traffic typically returns an HTTP 200 code. Defenders can use the following regular expression to scan their logs for suspicious external requests targeting these endpoints:
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
This expression filters out localhost traffic and identifies requests to the vulnerable sub-directories that ended in a 404 error. It is important to note that sophisticated actors may attempt to delete or modify local logs after gaining access. Therefore, centralized log management and breach detection systems are necessary to maintain a reliable audit trail.
Data at Risk and Post-Exploitation Activity
Once an attacker achieves RCE on the EPMM appliance, they gain access to the underlying database. This database contains sensitive information, including:
- Administrator and user names.
- Email addresses and corporate directory metadata.
- Managed device details: Phone numbers, IP addresses, and installed applications.
- Device identifiers: International Mobile Equipment Identity (IMEI) and Media Access Control (MAC) addresses.
- Geographical data: GPS coordinates and cell tower location history.
Furthermore, attackers can use the EPMM API or the web management console to push configuration changes to all enrolled devices. This includes the ability to modify authentication settings or install malicious applications across the mobile ecosystem. There is also a secondary risk regarding encrypted private keys. While Ivanti indicates that decrypting these keys is difficult, the possibility of a full database dump means that certificate-based authentication could be compromised.
Impact on Supply-Chain and Brand Security
Exploitation of MDM solutions represents a significant supply-chain risk. Because EPMM is integrated deeply into both internal networks and external mobile devices, it acts as a bridge. A compromised MDM server can be used to pivot to internal resources, especially through Sentry, which is designed to tunnel traffic from mobile devices to internal assets.
Organizations must consider how these vulnerabilities affect their overall risk profile. Threat actors often monitor such vulnerabilities to facilitate data theft, which subsequently leads to information being traded on the dark web. Utilizing a dark web monitoring service can help identify if corporate credentials or internal configurations related to Ivanti systems have been leaked.
Similarly, real-time ransomware intelligence suggests that initial access gained through RCE flaws is a common precursor to large-scale encryption events. Identifying these threats early through underground intelligence is essential for proactive defense.
Mitigation and Remediation Strategies
Ivanti has provided RPM scripts to mitigate the vulnerabilities for specific versions of EPMM (12.5.x, 12.6.x, and 12.7.x). These scripts are intended as a temporary measure until a permanent fix is released in EPMM version 12.8.0.0, scheduled for later in 2026.
It is critical to understand that these hotfixes do not survive a version upgrade. If an administrator upgrades the appliance to a newer (but still vulnerable) version, the RPM script must be reapplied.
If exploitation is confirmed, cleaning the system is not considered a reliable remediation path. The recommended procedure is to:
- Restore the EPMM appliance from a known-good backup created before the date of exploitation.
- If a clean backup is unavailable, the appliance must be rebuilt from scratch and the data migrated.
- Post-restoration actions must include a total reset of all local accounts, LDAP/KDC service accounts, and any service accounts configured within the solution.
- Public certificates used for the EPMM instance must be revoked and replaced.
Practical Takeaways for Technical Teams
- Immediate Patching: Apply the Ivanti-provided RPM scripts according to the version of EPMM currently in use.
- Log Audit: Execute the provided regex against Apache access logs. Prioritize off-device logs to ensure data integrity.
- Sentry Review: Inspect Sentry logs for unusual lateral movement or reconnaissance activity targeting internal network segments.
- Credential Rotation: Rotate the passwords for service accounts that interface with EPMM.
- Network Segmentation: Ensure the EPMM appliance is restricted within a DMZ and its access to the internal network is limited.
Practical Takeaways for Business Leaders
- Verification Policy: Reinforce policies regarding the verification of mobile configuration changes.
- Supply-Chain Awareness: Include MDM systems in annual supply-chain information security monitoring assessments.
- Incident Response Readiness: Ensure that the incident response plan specifically covers the compromise of mobile infrastructure.
- Information Monitoring: Use brand leak alerting services to detect if sensitive corporate data appears on underground platforms.
PurpleOps Expertise and Integration
At PurpleOps, we provide the technical infrastructure and intelligence required to navigate complex vulnerability disclosures like those affecting Ivanti EPMM. Our approach integrates multiple layers of detection and response to ensure that zero-day exploits do not lead to a total system compromise.
Our team specializes in , where we simulate these types of code injection attacks to identify weaknesses in your infrastructure before an attacker does. For more information on how to protect your mobile infrastructure or to learn more about our technological platform, explore our PurpleOps Solutions team.
Frequently Asked Questions
Which versions of Ivanti EPMM are affected by these CVEs?
Versions 12.5.x, 12.6.x, and 12.7.x are vulnerable. Ivanti recommends applying RPM scripts immediately for these versions.
Does the RPM script survive a version upgrade?
No. If you upgrade to a newer version that is still within the vulnerable range, you must reapply the RPM script to remain protected.
What is the primary risk of an EPMM compromise?
Since EPMM is an MDM hub, an attacker gains full RCE, allowing them to steal device metadata, GPS locations, and potentially push malicious apps or configurations to all managed mobile devices.
When will a permanent fix be available?
Ivanti plans to release a permanent fix in EPMM version 12.8.0.0, which is scheduled for release later in 2026.