We discuss widespread exploitation of Ivanti EPMM zero-day vulns CVE-2026-1281 and CVE-2026-1340. Attackers are deploying web shells and backdoors.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile are being actively exploited to achieve remote code execution on MDM servers. The flaws stem from unsafe bash arithmetic expansion in legacy Apache RewriteMap scripts. Attackers are deploying web shells, reverse shells, cryptominers, and persistent backdoors across government, healthcare, manufacturing, and tech sectors in multiple countries. Over 4,400 EPMM instances have been identified as potentially vulnerable. Ivanti has released version-specific RPM patches that require no downtime, and CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog.

Critical Vulnerabilities in Ivanti EPMM Exploited

Interim Guidance for CVE-2026-1281 and CVE-2026-1340

Palo Alto Networks Product Protections for CVE-2026-1281 and CVE-2026-1340