Ddos 
Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are currently being exploited in a widespread campaign to compromise enterprise networks across the globe. A new report from Unit 42 reveals that attackers are using CVE-2026-1281 and CVE-2026-1340 not just for immediate access, but to plant “dormant” backdoors that can survive even after a patch is applied.
The vulnerabilities, both carrying a CVSS score of 9.8, allow unauthenticated attackers to remotely execute arbitrary code on the server, effectively handing them the keys to an organization’s mobile fleet.
The root cause of these flaws is surprisingly simple: unsafe bash scripts. The report details how CVE-2026-1281 exploits a specific type of code injection involving “bash arithmetic expansion.”
“The exploitation process works by tricking the bash script into evaluating a variable that contains a malicious command,” Unit 42 researchers explain.
By manipulating a URL parameter, attackers can force the server to execute commands like sleep 5 or install a reverse shell. The attack is so effective because it exploits legacy scripts used by the Apache web server to handle URL rewriting for the In-House Application Distribution feature.
What makes this campaign particularly dangerous is the attackers’ long-term strategy. They aren’t just breaking in; they are moving in.
“Threat actors are accelerating operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply patches,” the report warns.
Attackers have been observed downloading the Nezha monitoring agent, an open-source tool, to maintain control. Interestingly, they configure the tool to “fetch from Gitee if the victim’s location is China, ensuring the largest possible victim base”.
Once inside, the attackers often deploy lightweight JSP web shells with names like 401.jsp or 1.jsp. These tiny files allow them to execute commands directly on the server. “In these cases, if the web server is running as root or Administrator, the attacker would gain administrative control of the server,” the report notes.
The campaign has hit sectors ranging from state government and healthcare to manufacturing and legal services across the US, Germany, Australia, and Canada.
“The rapid weaponization of these vulnerabilities demonstrates that the window between disclosure and mass exploitation has effectively collapsed,” Unit 42 concludes.
Ivanti has released a fix that requires no downtime. Organizations are urged to apply the patch immediately and then assume they have already been breached. “Organizations with internet-facing management interfaces should adopt an assumed breach mentality and treat detection of any indicators as potential compromise,” the report advises.
Related Posts:
- Sleeping with the Enemy: Dormant Backdoors Found in Ivanti EPMM
- Exploited in the Wild: Critical Ivanti EPMM RCE Flaws (CVSS 9.8) Under Attack
- A New Linux Malware Hides in Plain Sight by Weaponizing File Names
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
