General

Ivanti EPMM: CVE-2026-1281/1340 actively exploited

Posted on by
14
Feb

Ivanti EPMM: CVE-2026-1281/1340 actively exploited

Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) is affected by two critical vulnerabilities (CVE-2026-1281, CVE-2026-1340; CVSS 9.8). At least CVE-2026-1281 is being actively exploited according to the manufacturer and BSI information. Following the publication of technical details and PoC-related analyses, activity increased significantly. For affected organizations, patching alone is not enough: in addition to updates, compromise testing, robust telemetry and SOC playbooks are required.

What happened?

On January 29, 2026, Ivanti published an advisory on two critical vulnerabilities in its mobile device management solution Endpoint Manager Mobile (EPMM). The BSI CERT-Bund reports that the vulnerabilities allow code execution by a remote, unauthenticated attacker and have been rated as „critical“ according to CVSS 3.1 with 9.8. Ivanti states that CVE-2026-1281 has already been exploited by a limited number of customers. Further exploitation activity has been observed as a result of published technical analysis and PoC-related information.

Technical classification (CVE/CVSS/exploit status)

Weak points at a glance

  1. CVE-2026-1281 - CVSS 3.1: 9.8 (critical), Pre-Auth Remote Code Execution, active exploitation documented.
  2. CVE-2026-1340 - CVSS 3.1: 9.8 (critical), published in the same advisory.

For the defense, the combination of Perimeter exposure (EPMM is often publicly accessible) and high level of trust (MDM/UEM as a central control platform) is crucial. The BSI points out that payloads and IoCs vary. However, the following have been observed repeatedly .jsp files, which are known as In-Memory Class Loader function. Experience has shown that purely IOC-based measures are therefore not sufficient.

Affected systems

Ivanti Endpoint Manager Mobile (EPMM) is affected - especially instances that are accessible from the Internet or from untrusted network segments. EPMM appliances can also contain sensitive information about managed devices, which further increases their attractiveness as an initial access target.

Attack scenario

A typical attack pattern in this context includes:

  1. Scanning for EPMM instances and vulnerable endpoints
  2. Pre-Auth Exploitation (RCE) and initial code execution
  3. Placement or preparation of access points (e.g. web or in-memory loader mechanism)
  4. Follow-on: Lateral movement, credential access, data access, persistence

SOC & Detection perspective

Log indicators (practical)

  1. Web/proxy logs: Conspicuous requests on EPMM-specific paths (e.g. /mifs-like structures), unusual parameter lengths/special characters, 4xx/5xx spikes in a short time.
  2. File/webroot artifacts: new/unusual .jsp-files, unexpected write operations in web/app directories, deviations from baselines.
  3. DNS/Egress: unexpected DNS requests or outgoing traffic from the appliance to unknown destinations.

MITRE ATT&CK (excerpt)

  • T1190 Exploit Public-Facing Application
  • T1505.003 Web Shell (for JSP artifacts)
  • T1021 Remote Services (Lateral Movement)

Recommendations for action

Priority 1: Patch / Mitigation

Updates and manufacturer recommendations should be implemented immediately - especially in the case of Internet exposure. Where patching is not possible in the short term, mitigations should be implemented strictly according to the manufacturer/BSI.

Priority 2: Compromise check

Due to active exploitation, „patch and move on“ is not sufficient. The BSI refers to a detection script (in cooperation with NCSC-NL) that has been updated. This should be run in the latest version to find indications of compromise. In addition, logs should be checked retrospectively.

Priority 3: Reduce exposure & increase monitoring

  1. Admin access only from dedicated networks/VPN, hard segmentation
  2. Expose only necessary endpoints, reverse proxy/WAF with comprehensive logging
  3. Central correlation of HTTP logs, system/appliance logs and DNS/egress

Enterprise Risk Matrix

Rating

  • Technical criticality: Critical - Pre-Auth RCE on MDM/UEM appliance
  • Exploit availability: Active / close to PoC - confirmed utilization + public technical analyses
  • Business Impact: High to Critical - potential access to MDM-relevant data/workflows
  • Probability of occurrence: High (on exposure) - observed scans/exploitation waves
  • Overall risk: Critical

Sources

  • BSI CERT-Bund - „Ivanti EPMM - Active attacks via zero-day vulnerabilities observed“ (2026) - https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2026/2026-221601-1032.html
  • watchTowr Labs - technical analysis (30.01.2026) - https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/
  • Help Net Security - „Ivanti EPMM exploitation: Researchers warn of ‘sleeper’ webshells“ (11.02.2026) - https://www.helpnetsecurity.com/2026/02/11/ivanti-epmm-sleeper-webshell/

    🎉

    BLACKSOC

    MDR Security

    24/7 Managed Detection & Response

    Endpoint Security
    Sophos Intercept X Advanced
    Sophos Intercept X with XDR
    BLACKSOC Elite XDR/MDR
    Server & Firewall
    Sophos Server Protection
    Sophos XGS Firewalls
    Email & PhishThreat
    Sophos Email Advanced
    Sophos Email Monitoring
    Sophos Phish Threat
    Training
    Security Awareness
    GDPR
    Workshops & Webinars
    Browse All Products →

    Security

    Operations Center

    Your Partner for Cybersecurity

    Managed Services
    Managed Detection & Response
    SIEM & SOAR
    Endpoint & Network Security
    Consulting
    Security Strategy
    Compliance & Audit
    Risk Assessment
    Professional Services
    Penetration tests
    Training
    Infrastructure
    Book an appointment 
    Do you have questions about products or would you like security advice?

    Meeting for cybersecurity consulting

    Details of the appointment will be sent to you after confirmation.