Critical Ivanti EPMM Vulnerabilities Expose Systems to Arbitrary Code Execution Attacks

In February 2026, threat actors actively exploited two critical remote code execution (RCE) vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).

A recent incident response investigation by WithSecure’s STINGR Group revealed attackers used highly automated methods to exfiltrate sensitive data from compromised servers within seconds.

These zero-day vulnerabilities allow unauthenticated attackers to execute arbitrary code on the system hosting the affected software.

  • CVE-2026-1281: A critical pre-authentication RCE flaw with a CVSS v3 score of 9.8.
  • CVE-2026-1340: A companion pre-authentication RCE vulnerability, also carrying a critical 9.8 severity score.

The Hit-and-Run Exploitation Strategy

Threat actors opportunistically scanned the internet for vulnerable EPMM servers by sending specially crafted HTTP GET requests.

Example of an HTTP request triggering the vulnerability (Source: WithSecure)
Example of an HTTP request triggering the vulnerability (Source: WithSecure)

Attackers initially used time-based reconnaissance commands, such as sleep calls, to confirm if a target was vulnerable before proceeding.

These malicious requests manipulated the start and end time parameters to force the server to evaluate arbitrary shell commands before authentication.

While many early attempts failed due to URL encoding errors, successful attacks installed a Java-based webshell within the system’s 403.jsp error page.

By appending a base64-encoded payload to this error page, threat actors could execute commands with root privileges and establish a persistent backdoor.

The HTTP request installing the webshell (Source: WithSecure)
The HTTP request installing the webshell (Source: WithSecure)

During a specific incident on February 9, an attacker completed a full-system compromise and data exfiltration in exactly 6 seconds.

The threat actor utilized modified components from AntSword, an open-source offensive web framework, to streamline their attack.

According to WithSecure, the initial HTTP request installed the webshell, while subsequent requests loaded compiled Java classes into memory.

The first payload was designed for reconnaissance, collecting basic system information such as the operating system and user directories.

A secondary payload that required a newer Java runtime was then deployed to execute terminal commands directly as the root user.

Using their persistent access, the attackers executed targeted commands to dump seven tables from the Ivanti MIFs database.

This database contains credentials, device metadata, and sensitive information belonging to the mobile devices managed by the EPMM appliance.

Additionally, the attackers archived system configuration files from the /mi/filesystem directory, including administrator account credentials.

The stolen data archives were moved to a web-accessible directory for rapid exfiltration via simple HTTP requests.

Following the data theft, the attackers deleted the local files to cover their tracks, highlighting the severe risks of zero-day exploitation.

Related Articles

Back to top button