Rapid Exploitation of Ivanti Zero-Day Vulnerabilities
In an increasingly cyber-vulnerable landscape, threat actors have swiftly exploited two critical zero-day vulnerabilities within Ivanti’s Endpoint Manager Mobile (EPMM). Security teams have discovered web shells infiltrating servers, indicating that attackers have already maneuvered past traditional authentication barriers using a clever bash script trick.
Overview of the Vulnerabilities
Researchers from Palo Alto Networks’ Unit 42 have identified widespread exploitation of the vulnerabilities, designated as CVE-2026-1281 and CVE-2026-1340. These flaws enable unauthenticated remote code execution, essentially turning the mobile device management systems into platforms for cybercriminals to exert control. The mechanism of attack exploits a seemingly simple arithmetic operation in bash, creating a very significant risk for organizations.
Cortex Xpanse, a division of Palo Alto Networks, has reported over 4,400 EPMM systems exposed online, thus broadening the attack surface across various sectors including healthcare, manufacturing, and local government in countries like the U.S., Germany, Australia, and Canada. The Cybersecurity and Infrastructure Security Agency (CISA) has recognized one vulnerability, CVE-2026-1281, as a known exploited vulnerability, mandating federal agencies to address it by February 1.
How Attackers Are Exploiting Ivanti’s Bugs
The security risks stem from legacy bash scripts that Apache uses for URL rewriting in EPMM’s features like In-House Application Distribution and Android File Transfer. Managing a CVSS score of 9.8, these vulnerabilities allow attackers to gain complete control of servers through simple HTTP GET requests—without needing user interaction or any authentication.
The exploitation works through the manipulation of how bash executes variables in arithmetic comparisons. By sending specifically crafted HTTP requests to vulnerable endpoints (such as /mifs/c/appstore/fob/), attackers leverage a clever method of nesting malicious commands within the scripts. When the bash process attempts an arithmetic operation using one variable, it resolves the reference to another variable containing the attack payload. This technique enables code execution that obscures malicious intent.
Reconnaissance and Deployment
Unit 42’s observations reveal a range of attack patterns, combining automated scanning with targeted strikes. During initial reconnaissance, attackers used simple commands to verify vulnerability; if a server exhibited a delay of precisely five seconds before responding with an error, they confirmed successful remote code execution. Following this, malicious payloads were quickly deployed.
Efforts to establish reverse shells allowed attackers to connect back to their own servers, where they captured traffic patterns indicative of command execution. These connections facilitated a level of interactive control over the compromised systems, enabling attackers to explore and escalate privileges effortlessly.
Concerns Over Persistent Access
One of the alarming trends noted is the installation of web shells. Lightweight JSP web shells were frequently added with benign-sounding names like 401.jsp, 403.jsp, and 1.jsp, located in directories such as /mi/tomcat/webapps/mifs/. When these web servers operate under root or Administrator privileges, the attackers achieve full administrative control. This allows for continued access even after potential remedial measures like system reboots.
These operations often demonstrate organized campaigns that seek to integrate compromised EPMM servers into larger criminal networks. By coordinating malware downloads, attackers showed capabilities that extend beyond single-target objectives, indicating a shift toward distributed attack frameworks.
Mitigation and Recovery
In light of these vulnerabilities, Ivanti has released RPM scripts for temporary fixes for affected versions. Organizations using versions 12.5.0.x, 12.6.0.x, and 12.7.0.x should implement RPM 12.x.0.x, while versions 12.5.1.0 and 12.6.1.0 are directed to RPM 12.x.1.x. Importantly, applying these patches does not require downtime and does not impact functionality. However, any upgrades to new versions will necessitate reinstalling the RPM as patches are not preserved.
The permanent fix will be available in the upcoming version 12.8.0.0, scheduled for release in Q1 2026. For organizations that suspect a breach, Ivanti advises against cleaning the affected systems. Instead, they recommend restoring EPMM from verified backups taken before the exploitation occurred or rebuilding the setup entirely.
Post-Recovery Measures
Once recovery is secured, administrators must ensure thorough password resets for all accounts associated with EPMM, including local, LDAP, and KDC service accounts. They also need to revoke and replace public certificates, reflecting the depth of potential infiltration by attackers.
Unit 42 has also provided XQL queries to assist organizations in identifying signs of exploitation. One query analyses EPMM logs for relevant HTTP requests, while another examines firewall logs for traffic indicative of exploitation attempts.
As organizations increasingly rely on internet-facing management interfaces, they must adopt a proactive stance, treating these vulnerabilities as indicators of potential compromise. Immediate forensic investigations and robust patching efforts are essential to maintain security.
