IT software company Ivanti released patches for its Endpoint Manager Mobile (EPMM) product to fix two new remote code execution vulnerabilities already under attack in the wild.
“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company said in a security advisory that identifies the new flaws as CVE-2026-1281 and CVE-2026-1340.
Both issues are described by Ivanti as code injection issues that can be exploited without authentication and are rated 9.8 out of 10 on the CVSS severity scale. The flaws involve EPMM’s In-House Application Distribution and Android File Transfer Configuration features.
Stand-alone patches and exploit details available
Ivanti has not released new fully patched versions of EPMM, but rather version-specific stand-alone patches that need to be applied manually. The patches are packaged as rpm files and can be installed with the install rpm url [patch_url] command.
The RPM_12.x.0.x patch is applicable to EPMM software versions 12.5.0.x, 12.6.0.x, and 12.7.0.x. It is also compatible with the older 12.3.0.x and 12.4.0.x versions. Meanwhile the RPM_12.x.1.x patch is applicable to versions 12.5.1.0 and 12.6.1.0.
“The RPM script does not survive a version upgrade,” the company warns. “If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0.”
While the Ivanti Sentry gateway product that secures traffic between mobile devices and back-end enterprise systems is not directly affected by these vulnerabilities, EPMM appliances do have command execution permission on Sentry gateways. As such, if an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well.
Researchers from penetration testing firm WatchTowr reverse engineered the patches and were able to figure out where the vulnerabilities are located and how to exploit them. A detailed write-up is available on the company’s blog.
Exploit detection and remediation
Ivanti published a separate document with guidance on how to scan EPMM appliances for potential compromise through these vulnerabilities. First off, the Apache Access Log found at /var/log/httpd/https-access_log could have evidence of attempted or successful execution of these vulnerabilities.
The company advises triaging logs with the ^(?!127.0.0.1:d+ .*$).*?/mifs/c/(aft|app)store/fob/.*?404 regular expression and looking for HTTP 404 error response codes as well as GET requests with parameters that have bash commands.
“The most common is the introduction of, or modification of, malicious files to introduce web shell capabilities,” the company said. “Ivanti has commonly seen these changes target HTTP error pages, such as 401.jsp. Any requests to these pages with POST methods or with parameters should be considered highly suspicious. Analysts who are performing forensic inspection of the disk should also review for unexpected WAR or JAR files being introduced to the system.”
One thing to note is that attackers regularly delete logs to hide their tracks and that on systems with high utilization the logs might be rotated multiple times a day. That’s why customers are strongly advised to use the Data Export features to forward logs from the EPMM appliance to their SIEM system or other log aggregators.
For any appliance that you suspect may be impacted, Ivanti recommends reviewing:
- EPMM administrators for new or recently changed administrators
- Authentication configuration, including SSO and LDAP settings
- New pushed applications for mobile devices
- Configuration changes to applications you push to devices, including in-house applications
- New or recently modified policies
- Network configuration changes, including any network configuration or VPN configuration you push to mobile devices
After restoring a compromised EPMM appliance from clean backups, customers should reset the password of any local EPMM accounts, reset the password of any LDAP and/or KDC service accounts used to perform lookups, revoke and replace the public certificate used on the EPMM deployment and reset the password for any other internal or external service accounts configured on the EPMM solution.
Because EPMM has command execution on Sentry and Sentry is a product that routes traffic from mobile devices to internal network systems, the systems that Sentry can access should also be reviewed for signs of compromise.