• Executive Summary Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. • These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials. • Unit 42 has observed widespread exploitation of these vulnerabilities, including: - Establishing a reverse shell - Installing web shells - Conducting reconnaissance - Downloading malware This campaign also affected the following sectors in the United States, Germany, Australia and Canada: - State and local government - Healthcare - Manufacturing - Professional and legal services - High technology Due to the severity of the threat, the U.S. • Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) Catalog. • Threat actors are accelerating operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply patches. • Palo Alto Networks Cortex Xpanse has identified the presence of over 4,400 EPMM instances in our telemetry.

Article Summaries:

  • Two critical zero‑day vulnerabilities (CVE‑2026‑1281 and CVE‑2026‑1340) in Ivanti Endpoint Manager Mobile (EPMM) are actively exploited, enabling unauthenticated attackers to execute arbitrary code on MDM servers. Unit 42 reports attackers establishing reverse shells, installing web shells, conducting reconnaissance, and downloading malware. The attacks have impacted U.S., German, Australian, and Canadian sectors, including government, healthcare, manufacturing, legal, and high‑tech firms. The U.S. Cybersecurity and Infrastructure Security Agency has added CVE‑2026‑1281 to its Known Exploited Vulnerabilities catalog. Ivanti recommends applying RPM 12.x.0.x or 12.x.1.x patches, which require no downtime. Palo Alto Networks highlights its products-Advanced URL Filtering, DNS Security, Cortex Xpanse, and Next‑Generation Firewall-as protective measures.

Sources: