CVE-2026-1281 Ivanti Endpoint Manager Mobile Code Injection Vulnerability

Jan 29

BLUF

Unauthenticated attackers can execute arbitrary code (RCE) remotely on Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.0.0, 12.6.0.0, 12.7.0.0, 12.5.1.0, 12.6.1.0 and earlier by exploiting a new, critical vulnerability.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by active exploitation of Ivanti Endpoint Manager Mobile via CVE-2026-1281 remote code execution, financial exposure extends well beyond technical remediation due to the system’s role in mobile device trust, credentials, and administrative access.

· Low-end total cost: $350K – $750K

o (rapid detection, limited dwell time, no confirmed data exfiltration)

· Typical expected range: $1.2M – $3.5M

o (compromise of EPMM server, forensic response, mobile fleet review)

· Upper-bound realistic scenarios: $5M – $9M

o (credential exposure, regulatory reporting, follow-on security incidents)

Key Cost Drivers

· Scope of mobile device inventory requiring review or re-enrollment

· Duration of attacker persistence prior to detection

· Presence of regulated or sensitive data in EPMM (PII, credentials, keys)

· Need for external forensics, legal counsel, and crisis communications

· Secondary incidents enabled by stolen credentials or tokens

Critical infrastructure

· Government

· Finance

· Large enterprises using Ivanti EPMM for mobile device management.

Potential Impacted Countries

· Global

Date of First Reported Activity

· Reported in January 2026

Date of Last Reported Activity Update

· January 29, 2026

Tools Used in Campaign

· Custom malicious Java classes (listeners) deployed via API, similar to 2025 activity which utilized Apache Tomcat servlets.

TTPs

Initial Access

· T1190 Exploit Public-Facing Application

o Attackers target the exposed Ivanti EPMM API component to gain an initial foothold.

Execution

· T1203 Exploitation for Client Execution

o In some Ivanti EPM variations, attackers join fake managed endpoints to poison administrator dashboards with malicious JavaScript, which executes when an admin views the page.

· T1059.003 Command and Scripting Interpreter

o Windows Command Shell: Exploitation often leads to the execution of commands via cmd.exe or powershell.exe to establish further control.

Persistence

· T1505.003 Server Software Component Web Shell

o Actors have been observed deploying malicious listeners or web shells (e.g., via CISA Malware Analysis Report AR25-261A) to maintain access.

Defense Evasion

· T1070 Indicator Removal

o Threat actors may clear system logs or modify web server configurations to hide their presence after initial code injection.

Exfiltration

· T1020 Automated Exfiltration

o Once code execution is achieved, attackers use the compromised server to exfiltrate sensitive device data or credentials.

CVSS 3.1

· (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

· Not Applicable at this time

Is this on the KEV List?

· Yes

What is the CISA Patch by date?

· February 01, 2026

Patch Release Date

· January 29, 2026

URL Link to Patch Information

· hxxps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340

IOCs

API Misuse

· Monitor for unusual high-frequency, or malformed requests to the /mifs/rs/api/v2/ endpoint.

Suspicious File Creation

· Check the /tmp directory for anomalous files, particularly Base64-encoded scripts or persistent "listeners" designed to execute arbitrary code.

Anomalous Account Activity

· Look for the unauthorized creation of new administrative user accounts.

Malware Names

· There has been no malware directly associated with CVE-2026-1281 at this time

Malware Family

· Malicious Servlet Listener, often disguised as system utilities (e.g., ReflectUtil, WebAndroidAppInstaller variants).

SHA256

· Unknown at this time

Known Decoding Key

· Hardcoded AES key used in previous variants for decrypting malicious payload parameters.

Verdict

· CRITICAL. High risk of full system compromise.

Primary Objectives

· Initial access

· Persistence

· Data exfiltration of mobile device management data

· Potential lateral movement into corporate networks.

Behavior Analysis

· Attackers send crafted HTTP requests to the EPMM admin interface

· Triggers deserialization or code injection

· Drops a persistent listener in the Apache Tomcat directory.

Suggested Rules / Potential Hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

· Detects common java.lang.Runtime invocation strings often used in these types of Ivanti exploits.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Ivanti EPMM Java EL Injection (CVE-2026-1281)"; flow:established,to_server; content:"/mifs/rs/api/v2/"; http_uri; content:"java.lang.Runtime"; http_uri; classtype:web-application-attack; sid:1000001; rev:1;)

· Monitors for external command execution attempts within the format parameter of the API.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Suspicious format parameter in Ivanti API (Possible CVE-2026-1281)"; flow:established,to_server; content:"?format="; http_uri; pcre:"/exec$.*$/U"; classtype:web-application-attack; sid:1000002; rev:1;)

SentinelOne

· Detect the Ivanti web server (typically running under tomcat or java) spawning a command shell.

sql

ProcessName In ( "sh", "bash", "cmd.exe", "powershell.exe" ) AND ParentProcessName In ( "java", "tomcat", "httpd" )

· Suspicious File Creation in /tmp or Web Dirs

sql

FileAction = "Create" AND ( FilePath Contains "/tmp/" OR FilePath Contains "/mifs/rs/api/v2/" ) AND ( FileExtension In ( "jar", "class", "sh", "jsp" ) )

· Monitor for unusual activity targeting the vulnerable API endpoints often utilized in EPMM RCE chains.

sql

NetworkUrl Contains "/mifs/rs/api/v2/" AND NetworkMethod = "POST"

Splunk

· Monitor your web server logs (e.g., Apache/Nginx logs from the EPMM appliance) for high-frequency or anomalous API requests.

o API Injection Pattern Search:

index=web_logs sourcetype=access_combined

uri_path="/mifs/rs/api/v2/*"

(uri_query="*java.lang.Runtime*" OR uri_query="*getRuntime*")

| table _time, src_ip, uri_path, uri_query, status

· Success of Exploitation (HTTP 200): Focus on successful requests to sensitive endpoints containing potential shell metacharacters.