Update! Attacked vulnerability in Ivanti Endpoint Manager Mobile
Two critical security vulnerabilities have been discovered in Ivanti Endpoint Manager Mobile. Attacks are underway, and administrators should update quickly.
(Image: solarseven/Shutterstock.com)
Two security vulnerabilities with a critical risk rating have been found in Ivanti Endpoint Manager Mobile (EPMM). Attackers can use these to inject malicious code. The manufacturer warns that the vulnerabilities have already been exploited in the wild. Updates are available to help administrators secure their networks.
“Ivanti has released updates for Endpoint Manager Mobile (EPMM) addressing two critical security vulnerabilities,” writes Ivanti in its security advisory. “Successful attacks can lead to code execution from the network without authentication,” the company further explains. “We are aware of a very limited number of customers whose solutions have been successfully attacked as of the time of this report.”
Ivanti EPMM: Two Critical Vulnerabilities
Ivanti is withholding details about the vulnerabilities. The company only states that both vulnerabilities are of the CWE-94 type according to the Common Weakness Enumeration: Insufficient control over generation of code (“Code Injection”); these are vulnerabilities where attackers can inject their code in an unspecified way, which is then executed. However, Ivanti adds that attackers do not require prior authentication for such an attack (CVE-2026-1281, CVE-2026-1340; both CVSS 9.8, risk “critical”). However, the detailed analysis by Ivanti discusses that the vulnerabilities affect in-house app distribution and Android file transfer configuration functions.
On Thursday night, Ivanti released updated RPMs that administrators can use to bring their instances up to a corrected version. Impacted are Ivanti EPMM 12.5.0.0, 12.6.0.0, 12.7.0.0, as well as 12.5.1.0 and 12.6.1.0, and older versions respectively. The updates are available as separate RPMs for the 12.x.0.x and 12.x.1.x series. Ivanti explains that applying the patch will not cause any downtime and that the developers are not aware of any impact on existing features.
Videos by heise
Ivanti further explains that the known incidents are still under investigation and that no reliable information is yet available that could serve as indicators of compromise (IOCs). However, attempted and successful attacks appear to result in 404 error codes in the Apache log, which administrators can therefore search for. However, patched installations also generate such error codes, which is why Ivanti suggests a regular expression for better filtering in the detailed analysis.
IT managers should patch their instances immediately. Most recently, Ivanti closed a critical security vulnerability in Ivanti's Endpoint Manager in December -- however, at that time, no attacks on the vulnerability were known.
(dmk)
