Cybercriminals now know where every corporate smartphone is located.
Ivanti has released updates for two critical zero-day vulnerabilities in Endpoint Manager Mobile. At the time of the patch release, the flaws were already being exploited in attacks. For the company, this is the latest in a series of unfortunate incidents that have regularly affected major enterprise IT solution providers since the beginning of the year.
A similar situation unfolded a year ago. In January 2025, tens of thousands of organizations were forced to urgently patch a zero-day vulnerability in Fortinet products, while Ivanti customers simultaneously installed emergency patches for their own systems. A year later, the overall situation remains largely unchanged. Fortinet continues to patch vulnerabilities in single sign-on mechanisms, and Ivanti is once again publishing patches for new critical bugs that became known after their exploitation.
The vulnerabilities were identified as CVE-2026-1281 and CVE-2026-1340 . Both affect Endpoint Manager Mobile and have a CVSS score of 9.8, which is near the maximum severity level. These vulnerabilities allow remote execution of arbitrary code without authentication. Effectively, an attacker could gain complete control of the mobile device management server if it is accessible from the internet.
Ivanti stated that it was aware of only a small number of customers whose systems had been compromised at the time of disclosure. The developer also specifically indicated which products were not affected. The vulnerabilities do not affect the company's other solutions, including cloud services like Ivanti Neurons for MDM. Endpoint Manager is a separate product and is also not affected by these vulnerabilities. Users of Ivanti cloud solutions with the Sentry component need not worry about these vulnerabilities.
Such flaws open a wide range of opportunities for attackers. Remote code execution allows them to navigate the organization's network, change settings, escalate privileges, and access data. Ivanti explicitly warns that exploitation could allow an attacker to access some of the information stored in the mobile device management system.
This list includes the personal information of EPMM administrators and users, as well as data about the mobile phones and tablets themselves. This includes phone numbers and GPS coordinates used to monitor corporate mobile devices.
Detecting signs of a hack is complicated by Ivanti's lack of reliable indicators of compromise. The company explains this by the small number of confirmed incidents. Instead of a clear set of indicators, the developer has published a technical analysis with general recommendations that can help identify exploitation attempts.
Security professionals are advised to begin their analysis with Apache logs. Special attention should be paid to the In-House Application Distribution and Android File Transfer Configuration functions. Normal requests to these components return an HTTP 200 status code, while suspicious activity is often accompanied by a 404 error. Ivanti also recommends checking any GET requests with parameters containing bash commands.
This isn't the first time Endpoint Manager Mobile has encountered vulnerabilities of this class. Previous investigations have shown that attackers typically gain a foothold in the system in two ways. The most common is adding or modifying web shells, typically targeting error pages such as 401.jsp. The developer recommends treating any POST requests to such addresses or accessing parameters as a serious cause for concern.
Another sign of a possible hack is the appearance of unexpected WAR or JAR files in the system. Such artifacts often indicate the deployment of reverse shells through which attackers maintain persistent access. Network activity also adds to the picture. EPMM does not normally establish outgoing connections, so any such entries in the firewall logs require separate investigation.
The American cybersecurity agency CISA has previously warned that such vulnerabilities allow attackers to install hidden listening services and plant long-term backdoors. Against this backdrop, Ivanti's recommendations appear quite strict. If signs of compromise are detected, the company advises not attempting to clean the system manually, but rather to fully restore it from a backup and then update to the latest version. If a backup is not available, Ivanti suggests deploying a new EPMM server and migrating the data to it.
Benjamin Harris, CEO of watchTowr, noted that Endpoint Manager Mobile users include many organizations in industries where data breaches are particularly sensitive. He noted that current attacks appear to be the work of well-trained and resourced teams. Patches alone don't solve the problem, as vulnerabilities were exploited before they were disclosed . He recommends treating servers that were accessible from the internet at the time of publication as potentially compromised and immediately launching full incident response procedures.
Ivanti has released updates for two critical zero-day vulnerabilities in Endpoint Manager Mobile. At the time of the patch release, the flaws were already being exploited in attacks. For the company, this is the latest in a series of unfortunate incidents that have regularly affected major enterprise IT solution providers since the beginning of the year.
A similar situation unfolded a year ago. In January 2025, tens of thousands of organizations were forced to urgently patch a zero-day vulnerability in Fortinet products, while Ivanti customers simultaneously installed emergency patches for their own systems. A year later, the overall situation remains largely unchanged. Fortinet continues to patch vulnerabilities in single sign-on mechanisms, and Ivanti is once again publishing patches for new critical bugs that became known after their exploitation.
The vulnerabilities were identified as CVE-2026-1281 and CVE-2026-1340 . Both affect Endpoint Manager Mobile and have a CVSS score of 9.8, which is near the maximum severity level. These vulnerabilities allow remote execution of arbitrary code without authentication. Effectively, an attacker could gain complete control of the mobile device management server if it is accessible from the internet.
Ivanti stated that it was aware of only a small number of customers whose systems had been compromised at the time of disclosure. The developer also specifically indicated which products were not affected. The vulnerabilities do not affect the company's other solutions, including cloud services like Ivanti Neurons for MDM. Endpoint Manager is a separate product and is also not affected by these vulnerabilities. Users of Ivanti cloud solutions with the Sentry component need not worry about these vulnerabilities.
Such flaws open a wide range of opportunities for attackers. Remote code execution allows them to navigate the organization's network, change settings, escalate privileges, and access data. Ivanti explicitly warns that exploitation could allow an attacker to access some of the information stored in the mobile device management system.
This list includes the personal information of EPMM administrators and users, as well as data about the mobile phones and tablets themselves. This includes phone numbers and GPS coordinates used to monitor corporate mobile devices.
Detecting signs of a hack is complicated by Ivanti's lack of reliable indicators of compromise. The company explains this by the small number of confirmed incidents. Instead of a clear set of indicators, the developer has published a technical analysis with general recommendations that can help identify exploitation attempts.
Security professionals are advised to begin their analysis with Apache logs. Special attention should be paid to the In-House Application Distribution and Android File Transfer Configuration functions. Normal requests to these components return an HTTP 200 status code, while suspicious activity is often accompanied by a 404 error. Ivanti also recommends checking any GET requests with parameters containing bash commands.
This isn't the first time Endpoint Manager Mobile has encountered vulnerabilities of this class. Previous investigations have shown that attackers typically gain a foothold in the system in two ways. The most common is adding or modifying web shells, typically targeting error pages such as 401.jsp. The developer recommends treating any POST requests to such addresses or accessing parameters as a serious cause for concern.
Another sign of a possible hack is the appearance of unexpected WAR or JAR files in the system. Such artifacts often indicate the deployment of reverse shells through which attackers maintain persistent access. Network activity also adds to the picture. EPMM does not normally establish outgoing connections, so any such entries in the firewall logs require separate investigation.
The American cybersecurity agency CISA has previously warned that such vulnerabilities allow attackers to install hidden listening services and plant long-term backdoors. Against this backdrop, Ivanti's recommendations appear quite strict. If signs of compromise are detected, the company advises not attempting to clean the system manually, but rather to fully restore it from a backup and then update to the latest version. If a backup is not available, Ivanti suggests deploying a new EPMM server and migrating the data to it.
Benjamin Harris, CEO of watchTowr, noted that Endpoint Manager Mobile users include many organizations in industries where data breaches are particularly sensitive. He noted that current attacks appear to be the work of well-trained and resourced teams. Patches alone don't solve the problem, as vulnerabilities were exploited before they were disclosed . He recommends treating servers that were accessible from the internet at the time of publication as potentially compromised and immediately launching full incident response procedures.
