Active, unauthenticated RCE in Ivanti EPMM — interim RPMs stop attacks but 12.8.0.0 (Q1 2026) is the real fix
Two critical Ivanti EPMM zero-days (CVE-2026-1281 and CVE-2026-1340) are being exploited in the wild to achieve unauthenticated remote code execution. Interim RPM patches stop the immediate attacks, but they must be re-applied after upgrades; a permanent fix is scheduled for EPMM 12.8.0.0 in Q1 2026.
Observed exploitation and its immediate effects
Attackers are sending simple, crafted HTTP GET requests that inject bash arithmetic expressions into URL parameters on specific EPMM endpoints; successful requests let adversaries run arbitrary Bash commands without any authentication. Reported payloads have deployed reverse shells, web shells and additional malware, giving persistent administrator-level control of affected appliances and access to managed mobile device data (names, addresses, phone numbers, GPS and other PII).
CISA has told U.S. federal agencies to patch or remove vulnerable EPMM devices within days because these two CVEs (both CVSS 9.8) are actively abused. Palo Alto Networks telemetry shows roughly 4,400 EPMM instances visible online and Shadowserver flags more than 850 IPs exposing EPMM fingerprints, concentrated in North America and Europe.
How the bugs work and why they’re easy to weaponize
The root cause is legacy bash scripting in EPMM’s In-House Application Distribution and Android File Transfer features: unsafe arithmetic expansion in shell code accepts attacker-supplied characters in HTTP GET parameters. That specific mechanism — trivial to trigger via a URL — means no credentials and no user interaction are required, contrary to any suggestion the flaws need admin logins or tricked users.
Because the appliance runs with elevated privileges inside enterprise networks, a compromised EPMM can be a pivot point for lateral movement into directory services and other infrastructure. History reinforces risk: Ivanti EPMM has been the target of multiple exploited critical flaws in recent years (for example CVE-2025-4427, CVE-2025-4428, and CVE-2023-35078), so attackers already have chains and playbooks that can incorporate these two new CVEs.
Practical mitigations and their operational trade-offs
Ivanti released interim RPM packages that mitigate the vulnerabilities, but those RPMs are not permanent: installing them on an on-prem EPMM appliance must be repeated after any EPMM software upgrade because upgrades overwrite the patched scripts. Ivanti plans a code-level fix in EPMM 12.8.0.0 (expected Q1 2026) that will remove the need for the interim step.
| Action | Speed | Coverage | Key limitation |
|---|---|---|---|
| Apply interim RPM patch | Immediate | Fixes the scripting flaw on current appliance | Must be re-applied after any EPMM upgrade |
| Isolate or remove appliance from internet | Immediate | Stops remote exploitation vector | Operationally disruptive for managed fleets |
| Network filtering / WAF rules | Quick to deploy | Can block known exploit patterns | Misses novel payload formats; requires tuning |
| Upgrade to EPMM 12.8.0.0 (permanent fix) | Depends on Ivanti release schedule (Q1 2026) | Long-term resolution | Requires full upgrade testing and planning |
| Credential rotation and threat hunt | Immediate | Reduces post-compromise persistence | Doesn’t stop initial RCE |
Detection checkpoints and immediate response checklist
Threat hunting should prioritize Apache access logs for the endpoints /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ for unusual GET requests — look for embedded characters or bash tokens, unexpected 200s where a 404 is normal, repeated 404s with command-looking strings, and evidence of files being created on the appliance. Be aware attackers have cleared logs in previous incidents, so absence of log entries is not proof of safety.
Operationally, apply interim RPMs now if you run on-prem EPMM, block or isolate internet-facing appliances where feasible, rotate administrative credentials, and preserve current system images and logs before making changes to support forensics. Track Ivanti’s 12.8.0.0 release timetable as the single variable that will remove the need for repeat RPM application.
Short Q&A
Do these bugs require admin credentials or user clicks? No — CVE-2026-1281 and CVE-2026-1340 allow unauthenticated remote code execution via crafted HTTP GET requests to vulnerable endpoints.
Are Ivanti cloud EPMM services affected? Ivanti’s statement differentiates on-premises EPMM; their cloud-managed offerings are not affected by these specific bash-script issues.
When is the permanent fix expected? Ivanti plans to ship a permanent code fix in EPMM version 12.8.0.0, currently scheduled for Q1 2026; until that upgrade is applied, interim RPMs or isolation are the practical options.
