Cybersecurity

Cyber: Two Ivanti Epmm Zero-day RCE Flaws Actively Exploited, Security...

2026-01-30 0 views admin
Cyber: Two Ivanti Epmm Zero-day RCE Flaws Actively Exploited, Security...

Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog.

The critical-severity vulnerabilities are listed below -

However, it bears noting that the RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities will be permanently addressed in EPMM version 12.8.0.0, which will be released later in Q1 2026.

"We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti said in an advisory, adding it does not have enough information about the threat actor tactics to provide proven, reliable atomic indicators."

The company noted that CVE-2026-1281 and CVE-2026-1340 affect the In-House Application Distribution and the Android File Transfer Configuration features. These shortcomings do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry.

In a technical analysis, Ivanti said it has typically seen two forms of persistence based on prior attacks targeting older vulnerabilities in EPMM. This includes deploying web shells and reverse shells for setting up persistence on the compromised appliances.

"Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance," Ivanti noted. "Aside from lateral movement to the connected environment, EPMM also contains sensitive information about devices managed by the appliance."

Users are advised to check the Apache access log at "/var/log/httpd/https-access_log" to look for signs of attempted or successful exploitation using the below regular expression (regex) pattern -

"Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes," it explained.

In addition, customers are being asked to review the following to look for any evidence of unauthorized configuration changes -

Source: The Hacker News

🏷️ Tags

cybersecuritysecuritycveattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views