By rssfeeds-admin 
The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, both carry a CVSS score of 9.8 and pose a severe risk to enterprise environments relying on EPMM for mobile device management.
According to incident response findings from WithSecure’s STINGR Group, attackers leveraged these flaws to gain full control of exposed servers and exfiltrate sensitive data within seconds.
The vulnerabilities exist in pre-authentication components, allowing threat actors to execute arbitrary commands without valid credentials.
Automated Exploitation and Reconnaissance
Threat actors adopted a highly automated “hit-and-run” strategy, scanning the internet for vulnerable EPMM instances using crafted HTTP GET requests.
These requests manipulated input parameters such as start and end time values, forcing the backend system to execute injected shell commands.
To confirm vulnerability, attackers initially executed time-based reconnaissance techniques, including sleep commands.
This allowed them to verify code execution without triggering immediate detection. Once confirmed, they moved quickly to deploy malicious payloads.
Although early attempts showed encoding errors, successful exploitation led to the installation of a Java-based webshell embedded within the application’s 403.jsp error page.
By appending a base64-encoded payload, attackers achieved persistent access and root-level command execution.
The attack chain involved multiple stages. The initial HTTP request deployed the webshell, while follow-up requests loaded compiled Java classes directly into memory.
These payloads were partly derived from modified components of AntSword, a widely available offensive web framework.
The first payload focused on reconnaissance, gathering system-level details such as operating system information and directory structures.
A second-stage payload, requiring a newer Java runtime, enabled direct execution of commands with elevated privileges.
This modular approach allowed attackers to adapt their techniques based on the target environment while maintaining speed and efficiency.
Six-Second Full Compromise
In one documented incident on February 9, attackers completed a full compromise and data exfiltration in just six seconds.
After gaining access, they targeted the Ivanti MIFs database, extracting seven tables containing highly sensitive data, including:
- User credentials
- Device metadata
- Managed mobile device information
Additionally, attackers accessed the /mi/filesystem directory to collect configuration files, including administrator credentials.
The stolen data was compressed and moved to a web-accessible directory, enabling rapid exfiltration via simple HTTP requests.
To evade detection, attackers deleted local traces of the exfiltrated files immediately after transfer.
This campaign highlights the growing sophistication of zero-day exploitation, particularly the speed at which attackers can compromise systems and extract critical data.
The use of automated scanning, in-memory payload execution, and fileless techniques makes detection significantly more challenging.
Organizations using Ivanti EPMM are strongly advised to apply patches immediately, restrict external access to management interfaces, and monitor for unusual HTTP requests or unauthorized file modifications.
The incident underscores a broader trend: modern attackers prioritize speed, automation, and stealth, reducing the window for detection to mere seconds.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Ivanti EPMM Vulnerabilities Allow Remote Code Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.