Summary

This advisory addresses two critical vulnerabilities identified in Ivanti Endpoint Manager Mobile (EPMM), specifically CVE-2026-1281 and CVE-2026-1340. These vulnerabilities could potentially allow unauthorized access and control over affected systems, posing significant security risks to organizations utilizing this software.

Affected Systems and/or Applications

The vulnerabilities impact the following systems:

• Ivanti Endpoint Manager Mobile (EPMM) versions prior to the latest security patch.
• Any deployment of EPMM that has not yet applied the recommended security updates.

Table: Affected Versions

Technical Details

CVE-2026-1281 is a vulnerability that allows attackers to exploit a flaw in the authentication mechanism, potentially leading to unauthorized access to sensitive data and system controls. This vulnerability arises from improper validation of user credentials, which can be manipulated to bypass security checks.

CVE-2026-1340 a code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Impact

Successful exploitation of Ivanti Endpoint Manager Mobile (EPMM) may result in arbitrary code execution on the affected appliance. A compromised EPMM instance can be leveraged for **lateral movement** within the connected environment and provides attackers access to sensitive administrative, user, and device data.

Table: Potentially Exposed Information:

Mitigation

To mitigate the risks associated with these vulnerabilities, it is crucial to take the following actions:

1. ‍Immediate Patch Application: Apply the latest security patches provided by Ivanti for EPMM to address these vulnerabilities. See below table for Patch Application.‍
2. Follow Ivanti Analysis Guidance: see below subsection Ivanti Analysis Guidance. ‍
3. Network Segmentation: Implement network segmentation to limit the exposure of EPMM systems to potential attackers.‍
4. Access Controls: Strengthen access controls by enforcing strong authentication mechanisms and regularly reviewing user permissions.‍
5. Monitoring and Logging: Enhance monitoring and logging to detect any suspicious activities that may indicate exploitation attempts.‍
6. User Education: Educate users about the importance of security updates and the risks associated with these vulnerabilities.

Table: Patch Application

Ivanti Analysis Guidance

CVE-2026-1281 and CVE-2026-1340 impact the In-House Application Distribution and Android File Transfer Configuration features. Both attempted and successful exploitation attempts are logged in the Apache Access Log (`/var/log/httpd/https-access_log`). Legitimate use of these features typically generates HTTP 200 responses, while exploitation attempts are associated with HTTP 404 responses. It is recommended to review these logs, with particular attention to GET requests containing parameters that include bash commands. The below regular expression can be used to assist with rapid triage of the log files.

Regular Expression for Log Triage

```regex
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
```
Deployments that have been patched will generate legitimate heartbeat requests to the service. The above regular expression is written to exclude such events. An example of the heartbeat is below: 

```
127.0.0.1:33354 - - 2026-01-28--12-00-01 "GET /mifs/c/aftstore/fob/3/0/sha256:kid=0 HTTP/1.1" 404 
```

What to do if compromise is suspected?

In addition to data access, attackers may use the EPMM API or web console to modify system configurations. While such actions are logged, organizations should assess the integrity of their environment if compromise is suspected.

Recommended areas for review include:

• EPMM administrator accounts (new or modified)  
• Authentication settings (SSO, LDAP)  
• Newly pushed mobile applications  
• Changes to application configurations, including in-house apps  
• Newly created or modified policies  
• Network and VPN configuration changes pushed to devices  

For further details about the guidance, follow up in the Ivanti Analysis and Guidance linked in the References section.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and analyzing the case to identify potential threat-hunting campaigns. This advisory will be updated if required. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

References

• Ivanti Security Advisory: [CVE-2026-1281 and CVE-2026-1340]‍
• Ivanti Analysis and Guidance: [CVE-2026-1281 and CVE-2026-1340]‍
• CVE-2026-1281 ref: [CVE-2026-1281]‍
• CVE-2026-1340 ref: [CVE-2026-1340]‍
• CWE-94 Improper Control of Generation of Code, Code Injection: [CWE-94]