Do you work in a company that uses mobile fleet management tools to secure its devices? Imagine that these tools, supposed to protect your sensitive data, have critical vulnerabilities. How would you react if a simple update could make the difference between security and compromise? Discover the essential measures to take to secure your systems in this article.
The 3 must-know facts
- Two critical vulnerabilities allow remote code execution without authentication on Ivanti Endpoint Manager Mobile (EPMM).
- A patch, in the form of an RPM script, is available for affected versions, but each EPMM update may require manual reinstallation.
- Increased monitoring of access logs and post-exploitation signals is recommended to detect any suspicious activity.
Critical vulnerabilities of Ivanti EPMM
Ivanti recently released a security advisory regarding two critical vulnerabilities affecting its Endpoint Manager Mobile (EPMM) tool, used by many companies for managing and securing their mobile devices. These vulnerabilities, identified under references CVE-2026-1281 and CVE-2026-1340, allow remote code execution without requiring prior authentication.
The vulnerabilities specifically concern features related to internal application distribution and Android file transfer. They affect versions from branch 12.5 to 12.7, as well as versions 12.5.1 and 12.6.1, as long as the patch has not been applied.
Security advice and update
To counter these vulnerabilities, Ivanti offers a patch in the form of an RPM script, available for download. This patch must be applied quickly to secure vulnerable installations. However, it is important to note that a subsequent EPMM update will require the manual reinstallation of this patch until the arrival of version EPMM 12.8.0.0, scheduled for the first quarter of 2026.
The CERT-FR, affiliated with ANSSI, also recommends checking exposed instances to detect any signs of exploitation. Thorough monitoring of access logs is crucial to identify suspicious requests that could indicate exploitation of the vulnerabilities.
Monitoring and managing compromise
In addition to applying the patch, administrators are advised to monitor post-exploitation signals, such as unusual access to HTTP error pages or prolonged outgoing connections from the server. Such activities could indicate the presence of a backdoor or unauthorized access set up by attackers.
In the event of a confirmed compromise, it is preferable to restore a previous healthy backup or configure a new EPMM server. Any intervention should be done offline, with a reset of local account passwords and an update of the certificates used by the system.
Ivanti and the security of mobile management systems
Ivanti, a major player in the field of mobile device management, regularly faces security challenges. The importance of its solutions, such as Endpoint Manager Mobile, lies in their ability to protect companies’ sensitive data. In a context where cyberattacks are increasing, Ivanti must compete with other industry leaders like VMware and Microsoft Intune, which also offer mobile fleet management solutions. The recently discovered vulnerabilities highlight the need to remain vigilant and keep systems up to date to ensure optimal security.
Source:
