Rapid response · 1 MIN READ · AARON WALTON · JAN 30, 2026
TL;DR
- CVE-2026-1281 and CVE-2026-1340 are two zero-day command injection vulnerabilities affecting Ivanti EPMM
- Right now, the two CVEs have a CVSS score of 9.8
- They allow attackers to gain unauthenticated full system control
What happened
Ivanti has released updates for two critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340. These are command injection vulnerabilities unauthenticated attackers can use to execute arbitrary code via the EPMM management interface. These CVEs are being actively exploited to install webshells and establish persistent reverse shells. This exploitation happens at a high privilege level, meaning attackers can pivot to internal networks, modify MDM policies, and access sensitive device data.
Attackers are specifically targeting /mifs/c/aftstore/fob/ and /mifs/c/appstore/fob/ endpoints. Attempts often generate 404 errors in Apache logs before a successful shell is established. Attackers are known to clear local log files; therefore, externalized SIEM logs are the most reliable source for forensic investigation. This regex was shared for triaging logs: ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404. The regex looks specifically for 404 errors originating from external/public IP addresses.
What you should do now
- Emergency patch: Apply version-specific RPMs immediately. The RPMs must be reapplied if the system is upgraded before version 12.8.0.0.
- Hard reset: If a compromise is confirmed, Ivanti recommends rebuilding the instance or restoring from a backup prior to the first IoC; do not attempt to manually clean the operating system.
- Credential rotation: Rotate all service account passwords, local admin passwords, and replace public certificates.
Why it matters
These vulnerabilities have been added to the CISA KEV catalog and attackers are actively exploiting them as zero days. The exploitation is trivial and doesn’t require credentials, making any internet-facing EPMM instance a high-priority target. The impact is severe, potentially leading to the compromise of an organization’s entire mobile device fleet and internal directory services.
