Ivanti EPMM Zero-Days Under Attack, CISA Sets Friday Deadline

Ivanti disclosed two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product on Thursday, both under active exploitation. CISA responded within hours by adding one of the flaws to its Known Exploited Vulnerabilities catalog, giving federal agencies until tomorrow—February 1—to apply mitigations or pull affected systems offline.

The vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are code injection flaws that allow unauthenticated attackers to execute arbitrary code on vulnerable EPMM installations. Both carry CVSS scores of 9.8.

What's Being Exploited

The flaws affect two features in EPMM's on-premises deployments:

• In-House Application Distribution - Used by organizations to deploy internal apps to managed devices
• Android File Transfer Configuration - Handles file synchronization between the server and Android endpoints

Ivanti's advisory confirms active exploitation: "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure."

The attacks have been traced back to before Ivanti became aware of the vulnerabilities—making these true zero-days rather than n-days exploited post-patch. Organizations running EPMM should assume they've been targeted and hunt for indicators of compromise, not just patch and move on.

The Data at Risk

Successful exploitation gives attackers control over the EPMM appliance itself. From there, they can access:

• Administrator and user account credentials
• Email addresses and usernames for all managed devices
• Phone numbers, IP addresses, and device identifiers (IMEI, MAC addresses)
• Complete inventory of installed applications on managed devices
• GPS coordinates and cell tower location data (if location tracking is enabled)

For organizations using EPMM to manage employee mobile devices, that's a substantial cache of sensitive information. An attacker who compromises the MDM server effectively gains visibility into the entire mobile fleet.

The flaws also allow attackers to modify authentication settings—meaning they could potentially lock out legitimate administrators or create persistent access through configuration changes.

Affected Versions

Vulnerable EPMM releases include:

• 12.5.0.x
• 12.5.1.0
• 12.6.0.x
• 12.6.1.0
• 12.7.0.x

Cloud-hosted Ivanti Neurons for MDM is not affected. Neither is Ivanti Endpoint Manager (the desktop/laptop product with a confusingly similar name), Ivanti Sentry, or other Ivanti products.

Temporary Patches Available Now

Ivanti has released RPM-based hotfixes that can be applied without downtime. The company emphasizes these are provisional—the permanent fix will ship in EPMM version 12.8.0.0, expected later in Q1 2026.

One important caveat: the RPM script doesn't survive version upgrades. If you apply the hotfix and later upgrade to a new EPMM version before 12.8.0.0 releases, you'll need to reinstall the RPM.

Post-Compromise Guidance

If evidence suggests attackers achieved code execution on your EPMM appliance, Ivanti recommends either:

1. Restoring from a known-good backup taken before compromise
2. Rebuilding the EPMM appliance from scratch and migrating data

Simply patching a compromised system isn't sufficient—attackers may have established persistence, created backdoor accounts, or modified configurations in ways the hotfix won't address.

Additionally, organizations should reset all local and service account credentials after remediation. If attackers accessed the appliance, they likely harvested stored credentials.

Why MDM Servers Keep Getting Hit

This isn't Ivanti's first mobile management security crisis. The company faced similar scrutiny when attackers exploited vulnerabilities in competing MDM products earlier this month.

MDM servers make attractive targets for several reasons. They typically have network access to reach managed devices across an organization. They store credentials and configuration data for large device fleets. And they often run with elevated privileges that attackers can leverage for lateral movement.

The pattern isn't unique to Ivanti. Organizations running any MDM solution should treat these systems as high-value targets requiring aggressive patch management and monitoring.

Immediate Actions

1. Verify your deployment model - Cloud-hosted Ivanti Neurons is unaffected
2. Check firmware versions - Apply the RPM hotfix if running vulnerable releases
3. Hunt for compromise - Search Apache logs for exploitation indicators before assuming you're clean
4. Prepare for the permanent fix - Plan to upgrade to 12.8.0.0 when it releases

For organizations that can't immediately patch, consider temporarily restricting network access to the EPMM appliance while implementing compensating controls.

NHS England issued an alert to healthcare organizations Thursday, underscoring the urgency given how many hospitals rely on mobile device management for clinical workflows.