Ivanti EPMM Pre-Auth RCE (CVE-2026-1281) Under Active Exploitation

Ivanti Endpoint Manager Mobile (EPMM) sits in a uniquely privileged position: it manages device enrollment, policy enforcement, and app/content distribution across entire mobile fleets. When an internet-facing EPMM server is compromised, the blast radius is rarely limited to a single host — attackers can pivot into identity, device trust, and downstream enterprise resources.

That context is what makes CVE-2026-1281 (and the related CVE-2026-1340) especially urgent. In this campaign, the disclosure-to-exploitation window effectively collapsed: Ivanti’s advisory, a CISA KEV add, and confirmed compromise of government organizations all landed on the same day — meaning many defenders first learned about the issue after exploitation was already underway. (greynoise.io)

Executive summary

• CVE-2026-1281 is a critical (CVSS 9.8) unauthenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM). (NVD)
• It is closely related to CVE-2026-1340 (also CVSS 9.8), a separate pre-auth code injection weakness in another EPMM feature path. (cow-prod-www-v3.azurewebsites.net)
• CISA added CVE-2026-1281 to KEV on Jan 29, 2026 with a due date of Feb 1, 2026 — a compressed remediation window that signals confirmed exploitation risk. (NVD)
• Dutch authorities confirmed compromise of the Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR) via Ivanti EPMM on Jan 29, 2026. (The Register)
• GreyNoise telemetry indicates 83% of observed exploitation (Feb 1–9) traces to one bulletproof-hosted IP (AS200593 / PROSPERO OOO) not present in widely circulated IOC lists. (greynoise.io)
• GreyNoise also found several heavily shared “IOCs” were actually associated with unrelated scanning (not Ivanti EPMM exploitation), creating a risk of defenders “blocking the wrong door.” (greynoise.io)

Vulnerability overview

CVE-2026-1281 (CVSS 9.8): Pre-auth RCE via code injection

NVD summarizes CVE-2026-1281 as a code injection issue enabling unauthenticated remote code execution, with a CVSS v3.1 vector consistent with maximum impact (C/I/A high). (NVD)

What’s technically happening (defender-focused):

• Multiple analyses converge on legacy Bash scripting inside the request-handling path.
• The vulnerable flow is reachable through the In-House Application Distribution mechanism (HTTP paths under /mifs/c/appstore/fob/…). (Rapid7)
• watchTowr’s teardown shows the product’s Apache configuration uses RewriteMap directives pointing to Bash scripts (e.g., /mi/bin/map-appstore-url), and the hotfix replaces those scripts with Java-based mappers — strongly indicating the flaw lives in that Bash-processing path. (watchTowr Labs)

CVE-2026-1340 (CVSS 9.8): Related pre-auth injection in a different component

CVE-2026-1340 is described as the same class of weakness but triggered via EPMM’s Android File Transfer mechanism (paths beginning /mifs/c/aftstore/fob/…). (Unit 42)

Compressed timeline

• Jan 29, 2026: Ivanti publishes a security update and notes a “very limited number” of customers were exploited at disclosure time; the issue affects on-prem EPMM (not Ivanti Neurons for MDM cloud). (ivanti.com)
• Jan 29, 2026: CISA KEV add for CVE-2026-1281 with Feb 1, 2026 due date. (NVD)
• Jan 29, 2026: Dutch AP and RVDR compromise confirmed (attack date reported as Jan 29). (The Register)
• Jan 30, 2026: CERT-EU and NHS England publish advisories confirming active exploitation; watchTowr publishes deep technical analysis. (cow-prod-www-v3.azurewebsites.net)
• Feb 1–9, 2026: GreyNoise observes exploitation attempts scaling sharply, with a major spike on Feb 8. (greynoise.io)

The key operational point: “Disclosure + KEV + confirmed government compromise” occurred on the same day, leaving defenders no safe “patch next week” buffer. (greynoise.io)

What GreyNoise observed

1) Exploitation is highly concentrated

GreyNoise recorded 417 exploitation sessions (Feb 1–9) from 8 source IPs, with 346 sessions (83%) from a single host: 193[.]24[.]123[.]42 on AS200593 (PROSPERO OOO), described as bulletproof infrastructure. (greynoise.io)

2) The campaign looks like automated “verify first” tradecraft

GreyNoise reports 85% of observed payloads used out-of-band (OAST) DNS callbacks — a technique consistent with cataloging vulnerable targets rather than immediate payload deployment. (greynoise.io)

3) “Sleeper” activity suggests staging for later follow-on

GreyNoise also highlights external reporting describing dormant, in-memory Java class loader implants associated with /mifs/403.jsp, consistent with a “foothold now, monetize later” model. (greynoise.io)

4) IOC lists may be misleading

A core GreyNoise conclusion: several widely shared IOCs showed no Ivanti EPMM exploitation in their data and were instead linked to other scanning (e.g., Oracle WebLogic on TCP/7001) — meaning teams that blocked only those indicators may have left the main exploitation source untouched. (greynoise.io)

Confirmed impact and public-sector targeting

• The Dutch AP and RVDR confirmed attacker access to work-related staff data (e.g., names, business contact details) following exploitation of the Ivanti EPMM zero-days; reporting ties the compromise to the Jan 29 exploitation window. (The Register)
• Multiple national and sectoral advisories (e.g., NHS England, CERT-EU) treat this as actively exploited and emphasize rapid mitigation and compromise assessment. (NHS England Digital)

Detection & hunting guidance

1) Triage inbound requests to vulnerable feature paths

At minimum, search for unusual requests under:

• /mifs/c/appstore/fob/ (CVE-2026-1281)
• /mifs/c/aftstore/fob/ (CVE-2026-1340) (Rapid7)

NHS England highlights that attempted/successful exploitation can show up in EPMM’s Apache access logs and provides a regex for rapid triage that focuses on suspicious 404 behavior on these paths. (NHS England Digital)

2) Look for signs of “verification” behaviour

Because multiple sources describe sleep-style and similar “does this execute?” probes, pay attention to:

• requests whose timing aligns with delays,
• repeated probing across /mifs/c/(app|aft)store/fob,
• and especially any signs of payload verification workflows. (Unit 42)

3) Monitor for /mifs/403.jsp abuse

Given the reporting around staged in-memory loaders via /mifs/403.jsp, treat unexpected access to that path as high-signal and investigate immediately. (greynoise.io)

4) Outbound DNS matters here

GreyNoise’s OAST observation makes DNS telemetry unusually valuable:

• hunt for high-entropy subdomains and unusual callback patterns from the EPMM server during the exposure window, and
• correlate with suspicious inbound requests to the vulnerable endpoints. (greynoise.io)

5) Don’t rely only on on-box logs

NHS England explicitly warns that local logs can be manipulated post-exploitation and recommends reviewing centralized log sources (SIEM/collector) rather than only the appliance itself. (NHS England Digital)

Mitigation & response priorities

Immediate containment (hours)

• Patch / apply vendor hotfixes immediately (RPM-based interim mitigation aligned to your EPMM version), and plan for the permanent fix in EPMM 12.8.0.0 (Q1 2026). (cow-prod-www-v3.azurewebsites.net)
• If the system was internet-facing during the exposure window, treat it as potentially compromised and move straight to investigation (not just patching). (Help Net Security)

Network controls

• GreyNoise explicitly recommends blocking AS200593 (PROSPERO OOO) due to concentration of observed exploitation. (greynoise.io)
• Reassess IOC ingestion: distinguish between dedicated hostile infrastructure and shared VPN exits to avoid high false positives while still blocking real exploitation sources. (greynoise.io)

Post-exploitation response (days)

• Rotate credentials and keys where advised by national guidance; NCSC-NL reporting (via secondary coverage) emphasizes “assume compromise” posture even for fast patchers. (Help Net Security)
• Validate integrity of the EPMM environment:
  • unexpected web-accessible JSP artifacts,
  • anomalous outbound traffic,
  • unauthorized admin actions or changes in device enrollment/policy. (greynoise.io)

This incident fits a broader pattern: Ivanti platforms that sit on the edge (or operate as privileged infrastructure) continue to be treated as high-value targets, frequently with rapid weaponization once details are public.

• Ivanti EPMM (MobileIron Core) CVE-2023-35078 — auth bypass exposure and follow-on risk to EPMM environments. (threatintelreport.com)
• Norwegian government intrusions linked to EPMM zero-days (CVE-2023-35081 / CVE-2023-35078 chaining). (threatintelreport.com)
• Ivanti CSA zero-days and historical targeting by sophisticated actors. (threatintelreport.com)
• Nominet intrusion linked to Ivanti Connect Secure zero-day activity (CVE-2025-0282). (threatintelreport.com)

MITRE ATT&CK mapping

Based on publicly described exploitation and follow-on behaviors in this campaign:

• T1190 – Exploit Public-Facing Application (pre-auth RCE on internet-facing EPMM) (NHS England Digital)
• T1059 – Command and Scripting Interpreter (OS command execution via injected commands) (Unit 42)
• T1105 – Ingress Tool Transfer (downloading second-stage payloads) (Unit 42)
• T1505.003 – Web Shell (webshell installation described by responders/research) (Unit 42)
• T1071.004 – Application Layer Protocol: DNS (OAST-style DNS callbacks for RCE verification) (greynoise.io)

(Where a technique is “likely,” it reflects the described behavior patterns in the cited reporting, not independent attribution.)

• Nominet Confirms Network Intrusion Linked to Ivanti Connect Secure Zero-Day (CVE-2025-0282) (threatintelreport.com)
• Nation-State Adversaries Exploit Ivanti CSA Zero-Days: A Deep Dive into Targeted Attacks and Vulnerability History (threatintelreport.com)
• Ivanti Patches another Zero-Day Exploited in Norwegian Government Attacks – Active Exploitation Observed (threatintelreport.com)
• Ivanti Endpoint Manager Mobile (EPMM) CVE-2023-35078 (threatintelreport.com)

Key external references

• GreyNoise: Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere (greynoise.io)
• watchTowr Labs: Someone Knows Bash Far Too Well… (technical root cause and patch behavior) (watchTowr Labs)
• NHS England Digital (CC-4742): exploitation confirmation + triage regex guidance (NHS England Digital)
• CERT-EU Security Advisory 2026-001: affected versions + hotfix/permanent fix notes (cow-prod-www-v3.azurewebsites.net)
• Unit 42: exploitation scope and observed post-exploitation activity (Unit 42)
• NVD: CVE record for CVE-2026-1281 (NVD)
• Dutch compromise reporting (AP/RVDR) (The Register)
• itpro.com