Your mobile device management system might be under attack right now, and you wouldn’t even know it. Ivanti has sounded the alarm about two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, identified as CVE-2026-1281 and CVE-2026-1340, which have been actively exploited in zero-day attacks. But here's where it gets controversial: despite the severity of these flaws, only one has been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, leaving many to wonder why the other was left out. Could this oversight put organizations at greater risk? Let’s dive in.
These vulnerabilities are not your run-of-the-mill bugs—they’re code-injection flaws that allow remote attackers to execute arbitrary code on vulnerable devices without needing authentication. Both carry a CVSS score of 9.8, making them as critical as it gets. Ivanti has confirmed that a small number of customers have already fallen victim to these exploits, though the exact scale remains unclear. The company has released RPM scripts to mitigate the risks for affected EPMM versions, emphasizing that applying these patches requires no downtime and has no functional impact. However, there’s a catch: these hotfixes are temporary and must be reapplied if the appliance is upgraded before a permanent fix is available. And this is the part most people miss: the vulnerabilities won’t be fully resolved until EPMM version 12.8.0.0, slated for release in Q1 2026.
So, what’s at stake? A successful exploit could grant attackers access to a treasure trove of sensitive data stored on the EPMM platform. This includes administrator and user credentials, email addresses, and details about managed mobile devices, such as phone numbers, IP addresses, installed apps, and unique identifiers like IMEI and MAC addresses. If location tracking is enabled, even GPS coordinates and cell tower data could be exposed. Worse, attackers could use the EPMM API or web console to alter device configurations, including authentication settings, potentially locking out legitimate users or creating backdoors for future attacks.
Ivanti has provided technical guidance to help administrators detect exploitation attempts, which are logged in the Apache access log at /var/log/httpd/https-access_log. The company shared a regular expression to identify suspicious activity: ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404. This expression flags external requests to vulnerable endpoints that return 404 HTTP errors—a strong indicator of exploitation attempts. However, Ivanti warns that once a device is compromised, attackers can tamper with logs to cover their tracks, making off-device logs a more reliable source for investigation.
If you suspect your system has been compromised, Ivanti advises against simply cleaning it. Instead, restore EPMM from a backup taken before the exploitation occurred or rebuild the appliance and migrate data to a new system. Afterward, take these critical steps: reset passwords for local EPMM accounts, LDAP/KDC service accounts, and any other internal or external service accounts tied to the solution. Also, revoke and replace the public certificate used for your EPMM. While these vulnerabilities specifically target EPMM, Ivanti recommends reviewing Sentry logs as well, as Sentry can tunnel traffic from mobile devices to internal network assets, potentially enabling lateral movement by attackers.
The inclusion of CVE-2026-1281 in CISA’s KEV catalog underscores the urgency of addressing these flaws. Federal civilian agencies have until February 1, 2026, to apply mitigations or discontinue use of vulnerable systems under Binding Operational Directive 22-01. Yet, the exclusion of CVE-2026-1340 from the catalog raises questions about the consistency of threat assessments. BleepingComputer reached out to Ivanti for clarification, but the reason remains unclear. This inconsistency highlights the challenges organizations face in prioritizing security patches in an increasingly complex threat landscape.
In September, CISA published an analysis of malware kits deployed in attacks exploiting two other Ivanti EPMM zero-days, which were patched in May 2025 but had also been actively exploited. This pattern suggests that Ivanti’s solutions may be a recurring target for attackers, making proactive security measures even more critical.
Thought-provoking question for you: Given the recurring exploits in Ivanti’s EPMM solution, should organizations reconsider their reliance on such centralized management systems, or is the risk manageable with timely patching and vigilant monitoring? Share your thoughts in the comments below.
For those looking to strengthen their security posture, resources like the Secrets Security Cheat Sheet (https://www.wiz.io/lp/secrets-security-cheat-sheet) offer practical guidance on managing sensitive data and securing AI-generated code. Whether you’re cleaning up old keys or setting guardrails for new projects, this guide can help your team build securely from the start. Don’t wait until it’s too late—take control of your security today.
