Two sentences summarizing the content. Threat actors quickly weaponized two Ivanti EPMM zero-days (CVE-2026-1281 and CVE-2026-1340) to achieve unauthenticated remote code execution via a bash arithmetic expansion trick, enabling rapid deployment of web shells and persistent backdoors. Over 4,400 internet-facing EPMM instances were identified across multiple sectors and countries, prompting CISA to list CVE-2026-1281 and forcing organizations to patch, hunt for indicators, and in many cases restore or rebuild compromised appliances. #IvantiEPMM #Nezha
Keypoints
- Two critical Ivanti EPMM zero-days (CVE-2026-1281 and CVE-2026-1340) allow unauthenticated remote code execution using a bash arithmetic expansion technique.
- Attackers rapidly installed lightweight JSP web shells and established reverse shells to gain persistent, often administrative, access.
- Cortex Xpanse identified over 4,400 exposed EPMM instances across government, healthcare, manufacturing and technology sectors in several countries.
- Exploitation requires only a malicious HTTP GET to endpoints like /mifs/c/appstore/fob/, scoring 9.8 CVSS with no credentials or user interaction needed.
- Ivanti published RPM mitigations and plans a permanent fix in version 12.8.0.0; affected organizations should hunt for IOCs, restore from known-good backups or rebuild appliances, and reset credentials and certificates.
Read More: https://thecyberexpress.com/attackers-deploy-backdoors-in-ivanti-epmm/