Background

In late January 2026, CISA added two critical vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-1281 and CVE-2026-1340. These vulnerabilities affect the In-House Application Distribution and Android File Transfer Configuration features which are being actively exploited in the wild.

Ivanti EPMM is a mobile device management (MDM) platform that manages smartphones, tablets, and mobile applications across enterprise fleets. Given EPMM's privileged position in managing mobile devices and the platform's history of exploitation throughout 2025, immediate action is critical.

Technical Details

CVE-2026-1281 and CVE-2026-1340 allow attackers to exploit EPMM through HTTP GET requests containing malicious bash commands as parameters. The attack targets specific endpoints:

• /mifs/c/aftstore/fob/ (Android File Transfer)
• /mifs/c/appstore/fob/ (Application Store)

Key Behavioral Signature:

• Legitimate use of these features results in HTTP 200 response codes
• Exploitation attempts generate HTTP 404 response codes

This distinctive pattern makes detection straightforward through Apache access log analysis (/var/log/httpd/https-access_log).

Organizations can identify exploitation attempts using this regular expression:

regex

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

This filters for 404 responses to vulnerable endpoints while excluding legitimate localhost heartbeat traffic from patched systems.

Critical: On box logging can be manipulated by attackers who successfully exploit the system. Organizations must review logs from SIEM or centralized log aggregators, not from the EPMM server itself.

Affected Products

Vulnerable Versions:

Currently, specific version information is still being disclosed. Organizations should:

• Assume all internet-facing EPMM instances are potentially vulnerable until patched
• Review Ivanti's security advisory for confirmed version details
• Apply available security updates immediately

Ivanti EPMM has been repeatedly targeted throughout 2025, with major campaigns by China-nexus APT groups compromising government, healthcare, financial services, and telecommunications sectors.

Indicators of Compromise

Organizations should immediately search Apache access logs for exploitation attempts:

Primary Detection Pattern:

404 responses to vulnerable endpoints from external IPs:

bash

grep -E '^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404' /var/log/httpd/https-access_log

Key Indicators:

• Multiple 404 responses from the same source IP targeting EPMM endpoints
• GET requests with bash commands in URL parameters (curl, wget, nc, bash, sh)
• Unusual 200 responses to these endpoints if you don't use these features
• Suspicious source IPs from known malicious infrastructure

Post-Exploitation Indicators:

• Unauthorized administrator accounts in EPMM
• Unexpected database queries against mifs_ldap_server_config, mifs_ldap_users, or mi_user tables
• Unusual file creation in /tmp/ directory
• Suspicious outbound connections from EPMM servers

Abstract Security Detection

Abstract Security customers have a high-fidelity detection rule available that identifies exploitation attempts in real-time. The rule monitors for:

• HTTP 404 responses to /mifs/c/aftstore/fob/ or /mifs/c/appstore/fob/
• Non-localhost source addresses (excludes legitimate heartbeat traffic)

Key Advantage: Our detection operates on off box logs forwarded to the Abstract Security platform, ensuring visibility even if attackers manipulate on box logs after compromise.

If this detection triggers, immediately validate patch status, review source IPs, and search for GET requests containing bash commands.

Recommendations

Immediate Actions:

• Apply security patches - Check Ivanti's advisory and patch immediately
• Search access logs - Use the regex above to identify exploitation attempts in SIEM/log aggregator
• Isolate unpatched systems - Remove from internet if patching cannot be done immediately
• Enable off box log forwarding - Configure real-time Apache log forwarding to SIEM
• Rotate credentials - Change all administrative passwords and service account credentials

Detection and Monitoring:

• Implement automated monitoring for the detection regex pattern
• Deploy alerts for GET requests with bash commands in parameters
• Enable comprehensive logging with real-time off box forwarding
• Establish 24/7 monitoring for EPMM platforms
• Verify log integrity monitoring to detect tampering

Risk Assessment:

• Identify all EPMM deployments, including forgotten or shadow IT instances
• Determine which instances are internet-accessible
• Evaluate cloud integration and identify stored access tokens
• Review network segmentation and implement stricter controls

Response Planning:

• Develop incident response procedures for EPMM compromise scenarios
• Establish communication channels for escalation
• Plan for complete server rebuild if compromise is detected
• Coordinate with Ivanti support for incident response assistance

Conclusion

CVE-2026-1281 and CVE-2026-1340 represent critical threats to organizations using Ivanti EPMM. The distinctive 404 response signature provides clear detection opportunities, but organizations must act immediately to:

1. Apply available patches
2. Search access logs for exploitation attempts using the provided regex
3. Implement off box log forwarding and monitoring
4. Isolate unpatched systems
5. Conduct forensic reviews if exploitation is detected

CISA's KEV catalog inclusion signals active exploitation is occurring now. Successful compromise provides attackers with control over entire mobile fleets, access to cloud service tokens, and the ability to bypass multi-factor authentication.

Abstract Security customers benefit from real-time detection operating on off box logs, providing immediate visibility into exploitation attempts with automatic finding creation and MITRE ATT&CK context.

Organizations should not wait every hour of delay increases the risk of compromise.

Additional Resources

• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Ivanti Security Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340

‍