Ivanti Issues Urgent Fix for Critical Zero-Day Flaws Under Active Attack: CVE-2026-1281 (CVSS 9.8) & CVE-2026-1340 (CVSS 9.8)

Estimated reading time: 5 minutes

Key Takeaways:

  • Critical Vulnerabilities: Ivanti EPMM servers are facing active exploitation via pre-authentication RCE flaws (CVE-2026-1281 and CVE-2026-1340).
  • APT28 Activity: Russian-linked threat actors are weaponizing a Microsoft Office zero-day (CVE-2026-21509) targeting government entities using COM hijacking.
  • Developer Targets: The Metro4Shell vulnerability (CVE-2025-11953) exposes developer machines via unauthenticated command execution in React Native bundlers.
  • Mandatory Remediation: Standard patching may be insufficient; integrity checks and server rebuilding are recommended for suspected compromises.

Table of Contents:

In late January 2026, a series of critical vulnerabilities emerged, targeting essential enterprise infrastructure and developer environments. Most notably, Ivanti issued an urgent fix for critical zero-day flaws under active attack, specifically addressing CVE-2026-1281 and CVE-2026-1340 within its Endpoint Manager Mobile (EPMM) software. These vulnerabilities allow unauthenticated remote code execution (RCE), providing attackers with a pathway to gain full administrative control over on-premise mobile device management (MDM) servers.

The exploitation of these vulnerabilities is not an isolated incident. Simultaneous reports indicate that state-sponsored actors and financially motivated groups are leveraging a Microsoft Office zero-day (CVE-2026-21509) and a critical React Native Metro bug (CVE-2025-11953) to breach corporate networks and developer systems. For organizations relying on legacy on-premise management tools, the current threat environment requires immediate technical intervention, as standard patching procedures may be insufficient to remediate active compromises.

Ivanti Issues Urgent Fix for Critical Zero-Day Flaws Under Active Attack

The vulnerabilities identified in Ivanti EPMM-formerly known as MobileIron Core-represent a significant risk to enterprise mobile security. Ivanti EPMM serves as a central hub for managing corporate applications and data on mobile devices. Because these servers are frequently exposed to the internet to facilitate device communication, they are high-value targets for initial access.

Technical Breakdown of CVE-2026-1281 and CVE-2026-1340

Both CVE-2026-1281 and CVE-2026-1340 are classified under CWE-94, which identifies code injection issues. With a CVSS score of 9.8, these flaws are characterized by low attack complexity and the lack of required user interaction or privileges.

Research conducted by security firm watchTowr indicates that the root cause lies in the software’s handling of “In-House Application Distribution” and “Android File Transfer” tasks. The EPMM system utilizes Bash scripts to process specific web requests. Attackers can submit a maliciously crafted HTTP request containing shell metacharacters. If the script does not sanitize these inputs, the operating system executes the injected commands with the privileges of the web server.

This methodology allows an unauthenticated actor to execute arbitrary code. Unlike previous vulnerabilities that required valid credentials, these zero-days allow for “pre-auth” RCE. Forensic analysis of compromised systems shows that attackers are using these entry points to establish persistent backdoors and move laterally through the internal network.

The Temporary Patch Mechanism

Ivanti has released an emergency RPM patch to address the issue. However, this is a temporary fix with specific operational constraints. The RPM patch modifies the existing scripts but does not persist through version upgrades. If an administrator updates the EPMM software to a new version before the permanent 12.8.0.0 release (expected in Q1 2026), the security fix will be removed, and the system will return to a vulnerable state.

Security analysts emphasize that organizations currently exposing vulnerable instances to the internet should assume compromise. Threat actors have been observed clearing system logs to mask their presence. In cases where exploitation is suspected, rebuilding the server from a clean state is the only way to ensure the removal of hidden persistence mechanisms.

Exploitation of Microsoft Office Zero-Day CVE-2026-21509 by APT28

Parallel to the Ivanti disclosure, Microsoft confirmed active exploitation of CVE-2026-21509, a vulnerability in Microsoft Office. Within 24 hours of the public advisory on January 26, 2026, the Russia-linked threat actor UAC-0001 (also known as APT28) was observed weaponizing the flaw.

Campaign Logistics and Victimology

The campaign initially targeted Ukrainian government bodies and subsequently expanded to organizations within the European Union. Attackers utilized phishing emails containing malicious Word documents. One analyzed document, titled “Consultation_Topics_Ukraine(Final).doc,” specifically referenced the Committee of Permanent Representatives of the EU (COREPER), indicating a highly targeted social engineering approach.

Technical Execution and COVENANT Deployment

The attack chain for CVE-2026-21509 is complex:

  1. Initial Access: The user opens a malicious document.
  2. WebDAV Connection: The document initiates a network connection to an external resource over the WebDAV protocol.
  3. Payload Delivery: A shortcut file is downloaded, which launches an executable file.
  4. COM Hijacking: The malware creates a malicious DLL, EhStoreShell.dll, and modifies the Windows registry for CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}.
  5. Persistence: A scheduled task named OneDriveHealth is created to maintain access.
  6. Command and Control (C2): The DLL executes shellcode deploying the COVENANT framework, using Filen (filen.io) to evade standard breach detection protocols.

Supply Chain Risks: CVE-2025-11953 (Metro4Shell)

The third major threat involves the React Native Metro server. Tracked as CVE-2025-11953 and dubbed “Metro4Shell,” this vulnerability allows hackers to breach developer systems by targeting the default JavaScript bundler for React Native projects.

Exploitation Mechanics

Metro servers often bind to external network interfaces during the development phase. The /open-url HTTP endpoint in the Metro server accepts POST requests containing user-supplied URLs. Because these URLs are passed unsanitized to the system’s open() function, attackers can execute arbitrary OS commands.

This represents a significant supply-chain risk monitoring challenge, as developer machines often possess high-level access to source code repositories and internal production environments. With approximately 3,500 Metro servers currently exposed online, the potential for widespread developer-focused breaches is high.

Operational Takeaways and Technical Mitigations

For Ivanti EPMM Users:

  • Apply the RPM Patch Immediately: All organizations on versions 12.7.0.0 and earlier must apply the emergency patch.
  • Verification of Integrity: Check for unauthorized changes in the file system and unexpected network outbound traffic.
  • Plan for Permanent Upgrades: Ensure the update to version 12.8.0.0 is scheduled for Q1 2026.

For Office and Windows Environments:

  • Registry Configurations: Restrict WebDAV usage and monitor for COM hijacking indicators.
  • Network Filtering: Restrict access to known C2 infrastructure like filen.io.
  • Monitor Scheduled Tasks: Use EDR tools to flag suspicious tasks like OneDriveHealth.

For Development Teams:

  • Audit Metro Configurations: Ensure React Native Metro servers are not bound to external interfaces. Use version 20.0.0 or later of @react-native-community/cli-server-api.
  • Endpoint Protection: Do not allow development tools to bypass endpoint security.

Professional Analysis of the Current Threat Landscape

The emergence of these vulnerabilities confirms that high-value targets remain the focus of sophisticated actors. The speed at which APT28 weaponized the Office zero-day demonstrates the necessity of a proactive cyber threat intelligence platform. Organizations can no longer rely on reactive patching; they must integrate real-time ransomware intelligence and live ransomware API feeds to understand attacker movements.

Threat actors are increasingly utilizing alternative communication channels for coordination. Utilizing a dark web monitoring service and telegram threat monitoring has become essential for identifying leaked credentials. Furthermore, underground forum intelligence provides early warnings regarding the sale of access to compromised servers.

PurpleOps: Strategic Defense Against Zero-Day Exploitation

PurpleOps provides the infrastructure and intelligence necessary to navigate high-risk vulnerability windows. Our cyber threat intelligence services provide the context required to prioritize patches like those for CVE-2026-1281.

For organizations concerned about potential compromises, PurpleOps offers:

For a detailed assessment, visit our PurpleOps Solutions or contact our team directly.

Frequently Asked Questions

What are the CVSS scores for the Ivanti vulnerabilities?
Both CVE-2026-1281 and CVE-2026-1340 have been assigned a critical CVSS score of 9.8.

Is the Ivanti RPM patch a permanent fix?
No, it is a temporary measure. The patch will be overwritten during future software updates and must be replaced by the official 12.8.0.0 release.

Which threat actor is exploiting the Microsoft Office zero-day?
The Russia-linked group APT28 (also known as UAC-0001) has been identified as weaponizing CVE-2026-21509.

What is the main risk of the Metro4Shell vulnerability?
It allows unauthenticated remote command execution on developer machines, potentially compromising the entire software supply chain.

How can I verify if my Ivanti EPMM server was compromised?
Administrators should check for unauthorized file changes, cleared system logs, and unusual outbound network traffic to suspicious C2 domains.