Hackers Seize Control of Enterprise MDM Servers via Ivanti Zero-Days

A pair of critical zero-day vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM) are being actively exploited by attackers to seize control of enterprise mobile device management (MDM) servers. The vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over MDM infrastructure without requiring user interaction or credentials.

According to an advisory from Palo Alto Networks' Unit 42 threat research team, the vulnerabilities are being exploited in the wild to gain control of enterprise mobile fleets and corporate networks. EPMM, formerly known as MobileIron Core, is a widely used mobile device management platform that enables enterprises to manage and enforce security policies on employee smartphones and tablets.

The vulnerabilities are particularly concerning because they can be exploited without requiring any user interaction or credentials, making them highly susceptible to exploitation. Furthermore, the attackers can use the vulnerabilities to install backdoors that can persist even after organizations apply available patches.

"Two critical zero-day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks," the Unit 42 advisory states. "These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials."

The exploitation of these vulnerabilities has significant implications for enterprise security, as MDM servers often have access to sensitive data and can be used as a jumping-off point for further attacks on the network. Organizations that use EPMM are advised to take immediate action to patch the vulnerabilities and prevent exploitation.

In a statement, Ivanti confirmed that it is aware of the vulnerabilities and is working to release patches to address them. However, the company did not provide a specific timeline for when the patches would be available.

In the meantime, organizations can take several steps to mitigate the risk of exploitation. These include implementing network segmentation to limit the attack surface, monitoring for suspicious activity, and ensuring that all software and systems are up to date with the latest security patches.

The exploitation of zero-day vulnerabilities in widely used software like EPMM highlights the ongoing challenge of keeping pace with emerging threats in the cybersecurity landscape. As attackers continue to evolve and adapt their tactics, it is essential for organizations to prioritize vulnerability management and incident response to stay ahead of the threats.

The incident also underscores the importance of having a robust vulnerability management program in place, which includes regular patching, vulnerability scanning, and penetration testing. By taking a proactive approach to vulnerability management, organizations can reduce their risk of exploitation and minimize the impact of a potential breach.

In conclusion, the exploitation of the Ivanti EPMM zero-day vulnerabilities is a significant concern for enterprise security, and organizations must take immediate action to patch the vulnerabilities and prevent exploitation. By prioritizing vulnerability management and incident response, organizations can stay ahead of emerging threats and protect their sensitive data and systems.