editorially independent. We may make money when you click on links
to our partners.
Learn More
Two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, putting thousands of enterprise mobile management systems at risk.
The flaws allow unauthenticated attackers to remotely execute arbitrary code on vulnerable servers, potentially giving them full control over corporate mobile device management (MDM) environments.
“Palo Alto Networks Cortex Xpanse has identified the presence of over 4,400 [vulnerable] EPMM instances in our telemetry,” said Palo Alto Networks Unit 42 researchers.
How the Ivanti EPMM Vulnerabilities Work
EPMM platforms sit at the core of modern enterprise mobility strategies. They manage device configurations, enforce security policies, distribute applications and control access to corporate email, internal systems and sensitive data.
Because these systems function as centralized control planes for mobile fleets, a compromise at this layer can give attackers sweeping visibility and administrative control across thousands of managed devices.
According to research from Palo Alto Networks’ Unit 42, more than 4,400 EPMM instances are currently accessible online.
Since the vulnerabilities were disclosed in January 2026, Unit 42 has observed widespread and largely automated exploitation attempts targeting organizations in the United States, Germany, Australia and Canada.
The vulnerabilities driving this activity — CVE-2026-1281 and CVE-2026-1340 — both carry a CVSS score of 9.8.
What’s Causing the Vulnerabilities
The root cause in both cases stems from unsafe usage of legacy bash scripts integrated with Apache RewriteMap configurations.
These scripts handle URL rewriting for specific EPMM features, but improper input handling allows attackers to inject malicious commands into the script’s execution flow.
CVE-2026-1281 affects the In-House Application Distribution feature through the /mi/bin/map-appstore-url script, while CVE-2026-1340 impacts the Android File Transfer mechanism via /mi/bin/map-aft-store-url.
In both scenarios, attackers can issue specially crafted HTTP GET requests to endpoints such as /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/.
By manipulating specific parameters within those requests, adversaries trigger bash arithmetic expansion, causing the application to evaluate attacker-controlled input as executable commands.
Embedding malicious commands inside array index expressions, threat actors can achieve remote code execution without authentication or user interaction.
How Threat Actors Are Exploiting It
In observed campaigns, attackers first used simple sleep commands to confirm successful code execution. A delayed server response signaled that the target was vulnerable.
Once validated, threat actors escalated — deploying reverse shells to establish outbound connections, installing lightweight JSP web shells (often named 401.jsp, 403.jsp or 1.jsp) in accessible web directories and downloading second-stage payloads.
Some operations attempted to deploy cryptominers, while others installed persistent backdoors to maintain long-term access.
Unit 42 researchers also observed efforts to download the Nezha monitoring agent, enabling attackers to manage compromised systems across geographically diverse environments.
How to Mitigate Ivanti EPMM Risk
Given the ongoing exploitation activity, organizations should look beyond patching alone and implement layered mitigation measures.
Because EPMM systems serve as centralized management platforms for enterprise mobility, weaknesses at this level can have broad operational impact.
Security teams should carefully evaluate internet-exposed instances for potential exposure and take appropriate steps to validate system integrity.
- Patch Ivanti RPM and verify successful installation across all EPMM instances.
- Run Ivanti’s exploitation detection script and conduct a thorough review for indicators of compromise, including unexpected JSP files, suspicious outbound connections and unauthorized administrative accounts.
- Restrict internet exposure by requiring a VPN for EPMM access or using an IP allowlist, enforce network segmentation and implement strict egress filtering to block unauthorized outbound connections.
- Harden the server by running services with least privilege, disabling unused features such as in-house app distribution or Android file transfer and tightening file system permissions on web directories.
- Deploy additional monitoring controls, including web application firewall (WAF) rules, file integrity monitoring and centralized log collection with SIEM correlation for anomalous HTTP requests and command execution patterns.
- If compromise is suspected, rotate administrative credentials, API keys and certificates, hunt for persistence mechanisms such as scheduled tasks or rogue services and rebuild systems from known-good images if necessary.
- Test incident response plans and tabletop for zero-day and MDM exploitation scenarios.
Implementing these measures can help organizations limit the blast radius of a potential compromise and build resilience.
Risks of Internet-Exposed MDM Systems
The exploitation of these Ivanti EPMM vulnerabilities highlights the risks associated with internet-exposed management infrastructure and legacy components within enterprise environments.
Because EPMM platforms provide centralized oversight of mobile devices, weaknesses at this layer can create broader access opportunities if not properly secured.
Incidents like this are prompting many organizations to reevaluate how they control access to critical systems, reinforcing the need for zero-trust solutions that assume no user or device should be trusted by default.
