January blues return as Ivanti coughs up exploited EPMM zero-days

Steven

January blues return as Ivanti coughs up exploited EPMM zero-days

Summary

Ivanti has released patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. Both are rated CVSS 9.8 and allow unauthenticated remote code execution. Ivanti says a very limited number of customers were exploited in the wild at disclosure.

The bugs can enable lateral movement, privilege escalation, deployment of backdoors or web shells, and access to certain data (including basic admin/user info, phone numbers and GPS locations). Reliable indicators of compromise are scarce, but Ivanti has published technical guidance for detection and response.

Ivanti’s recommended response is to restore from backups or build replacement EPMM devices and migrate data after patching; simply applying the patch may not be sufficient for instances that were internet‑exposed and potentially compromised.

Key Points

  1. Two EPMM zero-days (CVE-2026-1281, CVE-2026-1340) permit unauthenticated remote code execution; both rated CVSS 9.8.
  2. Ivanti confirms a very limited number of in‑the‑wild exploitations at time of disclosure.
  3. Exploitation can lead to lateral movement, admin takeover, web shells/backdoors, and exposure of device/user data (phone numbers, GPS).
  4. Threat hunters should review Apache access logs — focus on In‑House Application Distribution and Android File Transfer Configuration endpoints; suspicious activity may show 404s where legitimate traffic yields 200s.
  5. Look for POST requests to error pages (eg. 401.jsp), unexpected WAR/JAR files, and any outbound connections from EPMM (it usually does not make them).
  6. Ivanti advises restoration from backups or rebuilding instances and migrating data; patching alone may not remove active backdoors.
  7. Organisations running EPMM — especially in high‑value sectors — should assume compromise for internet‑exposed instances and initiate incident response processes.

Why should I read this?

Short version: if you run Ivanti EPMM, stop what you’re doing and check it now. These are unauthenticated RCEs being exploited in the wild; patches exist, but attackers may already have left backdoors. We’ve read the advisories and pulled the crucial detection clues and response options together so you don’t have to — quick, actionable intel to act on immediately.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/30/ivanti_epmm_zero_days/