BSI warning: Ivanti EPMM vulnerability is widely exploited
The Federal Office for Information Security (BSI) and IT researchers warn of widespread attacks on Ivanti EPMM.
(Image: Titima Ongkantong / Shutterstock.com)
At the end of January, Ivanti closed critical vulnerabilities in Endpoint Manager Mobile (EPMM). Attackers can use these to inject malicious code – and are already doing so; initial attacks were already known. Now the Federal Office for Information Security (BSI) is warning of widespread attacks on the vulnerabilities and recommends using a detection script to identify successful attacks. IT security researchers from Palo Alto have also published a warning and explain some of the observed abuse attempts in more detail.
Ivanti is holding back on details about the security vulnerabilities, but IT researchers from Palo Alto Networks Unit42 provide more precise information. One vulnerability stems from outdated Bash scripts used by the included Apache web server for URL rewriting (CVE-2026-1281, CVSS 9.8, Risk "critical"). The second vulnerability also stems from an insecure Bash script but affects Ivanti's Android file transfer mechanism (CVE-2026-1340, CVSS 9.8, Risk "critical").
After exploiting the vulnerabilities, attackers set up reverse shells and web shells, explore the environment, and download further malware. According to Unit42, targets include state and local governments, healthcare, manufacturing, law firms, and the high-tech sector.
BSI distributes detection script
The BSI also issued an updated warning last week. The authority also provides indicators of (successful) attacks (Indicators of Compromise, IOCs) and strongly points to a detection script that Ivanti published with the Dutch IT security authority NCSC-NL. These are Ivanti-Host-EPMM-Scan-v2-0S-2 and Ivanti-Host-EPMM-Scan-v2-0L-2, both updated on February 12, 2026.
Videos by heise
The BSI classifies the vulnerabilities and attacks on them in the third severity category, "Orange." In practical terms, this means "Measures must be taken immediately. Massive disruption of normal operations is possible." The BSI has indications that the vulnerabilities have been attacked since at least summer 2025. Admins should consider this in their investigations.
(dmk)
