Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released

Estimated Reading Time: 9 minutes

Key Takeaways:

  • Critical Ivanti Patching: Two zero-day vulnerabilities in Ivanti EPMM (CVE-2026-1281 and CVE-2026-1340) allow for unauthenticated remote code execution and require immediate patching.
  • Destructive Malware: The Sandworm group has deployed DynoWiper against the Polish energy sector, utilizing Active Directory GPOs for rapid data destruction.
  • Data Theft Trends: ShinyHunters continues to target major consumer platforms like Match Group and Panera Bread using advanced SSO bypass and voice-cloning techniques.
  • Infrastructure Risks: Global disruption of the IPIDEA proxy network reveals how residential SDKs are weaponized by state-sponsored threat actors.
  • Insider Espionage: The conviction of Linwei Ding highlights the severe risk of intellectual property theft within AI infrastructure development.

Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited

Ivanti recently issued security patches to address two critical-severity vulnerabilities in its Endpoint Manager Mobile (EPMM) solution. These flaws, identified as CVE-2026-1281 and CVE-2026-1340, were exploited as zero-day vulnerabilities prior to the release of the updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the fixes by February 1, 2026.

These developments necessitate immediate action for organizations utilizing EPMM, as the flaws allow for unauthenticated remote code execution (RCE). Integrating these findings into a broader cyber threat intelligence platform is essential for maintaining visibility into the activities of threat actors targeting enterprise infrastructure.

The two vulnerabilities, both carrying a CVSS score of 9.8, result from code injection weaknesses. They impact Ivanti EPMM versions 12.7.0.0 and prior, 12.6.1.0 and prior, and 12.5.1.0 and prior. While Ivanti has provided RPM patches, the company noted that these patches do not survive version upgrades. Administrators must reapply the patches if the appliance is upgraded before the release of version 12.8.0.0, scheduled for late Q1 2026.

Technical Analysis of the Ivanti EPMM Vulnerabilities

Technical analysis reveals that the flaws specifically affect the In-House Application Distribution and Android File Transfer Configuration features. Threat actors have utilized these flaws to gain arbitrary code execution on the appliance, leading to the deployment of web shells and reverse shells for persistent access. Beyond lateral movement, compromised EPMM appliances expose sensitive data regarding all managed devices.

Researchers from watchTowr Labs performed a reverse-engineering of the Ivanti patches. The analysis indicates that the RPM fixes modify the Apache HTTPd configuration to replace two Bash shell scripts-/mi/bin/map-appstore-url and /mi/bin/map-aft-store-url-with Java classes. The vulnerability is exploitable via a specifically crafted HTTP GET request.

Security analyst reviewing Ivanti EPMM vulnerability logs

The Bash script /mi/bin/map-appstore-url allows the retrieval of mobile applications based on parameters including a salt index (kid), start time (st), end time (et), and a SHA256 hash (h). An attacker can manipulate these parameters to execute commands. For instance, a request targeting the /mifs/c/appstore/fob/ endpoint causes Apache to execute the Bash script with input that includes the Host header and endpoint path, facilitating command injection.

Organizations can detect exploitation attempts by inspecting the Apache access log located at /var/log/httpd/https-access_log. The following regular expression pattern can be used for identification:

^(?!127\.0\.0\.1:\d+.*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Legitimate traffic results in a 200 HTTP response code, while successful or attempted exploitation typically triggers a 404 response. Evidence of compromise may also include unauthorized administrative changes, new push applications, or modifications to VPN configurations.

In late December 2025, a new data-wiping malware named DynoWiper was deployed against an energy sector company in Poland. ESET researchers attributed this activity to Sandworm, a Russia-aligned threat group (GRU Unit 74455). The attack utilized TTPs similar to those observed in the ZOV wiper incidents in Ukraine.

DynoWiper was deployed as several executables, including schtask.exe and schtask2.exe, located in the C:\inetpub\pub\ directory. The malware overwrites file contents using a 16-byte buffer of random data. The deployment method involved Active Directory Group Policy Objects (GPOs). Sandworm typically leverages Domain Admin privileges to distribute malware across a network.

In this Polish incident, the attackers also attempted to use tools like Rubeus for Kerberos attacks and rsocx for SOCKS5 proxying. They also attempted to dump the LSASS process memory via Windows Task Manager. Access to real-time ransomware intelligence and underground forum intelligence can assist organizations in recognizing these TTP shifts before deployment occurs.

Analysis of the DynoWiper Logic

DynoWiper’s destructive capability is characterized by its speed and its exclusion of system-critical paths to ensure the malware finishes its routine before the OS becomes unstable. The exclusion list includes system32, windows, program files, and appdata.

The malware operates in three phases:

  • Phase 1: Wipes files on all drives except for the excluded directories.
  • Phase 2: Revisits the root directories and removes exclusions for top-level folders to target remaining files.
  • Phase 3: Forces a system reboot via a shutdown command.

The use of a live ransomware API can help defenders stay updated on the file extensions and directory patterns typically targeted by such destructive malware.

Ransomware and Data Theft: ShinyHunters Targeting Consumer Platforms

The ShinyHunters group has recently claimed responsibility for several large-scale data breaches affecting Match Group and Panera Bread. For Match Group, the group allegedly stole 10 million records containing usage data and internal documents. For Panera Bread, the group claimed to have stolen 14 million records containing PII.

The group appears to be utilizing single-sign-on (SSO) platforms for initial access and voice-cloning techniques to bypass security controls. These breaches highlight the necessity of brand leak alerting to monitor for the exposure of corporate and customer data on the dark web. Organizations must prioritize breach detection and the monitoring of SSO logs to identify unauthorized access patterns.

Infrastructure Disruption: The IPIDEA Proxy Network

Google’s Threat Intelligence Group (GTIG) recently disrupted IPIDEA, a China-based residential proxy network. This network provided infrastructure for cybercriminals, espionage groups, and data thieves. The disruption resulted in a 40% reduction in IPIDEA’s active proxy network, though approximately 5 million distinct bots remain active.

The IPIDEA network grew by paying app developers to embed SDKs into their applications, turning consumer devices into proxy nodes without user knowledge. Google observed over 550 threat groups using these exit nodes for password-spray attacks. The use of a dark web monitoring service and telegram threat monitoring can provide early warning of when these proxy services are being utilized.

Economic Espionage and Insider Threats: The Leon Ding Case

Former Google engineer Linwei Ding was convicted in January 2026 on counts of economic espionage and theft of trade secrets. Ding stole over 2,000 documents related to Google’s AI infrastructure, including details on TPU chips and GPU systems.

Ding concealed his actions by copying data into Apple Notes, converting them to PDFs, and uploading them to personal accounts. He also used badge-scanning deception to hide his physical location. This case emphasizes the importance of internal supply-chain risk monitoring and behavioral analysis to detect data exfiltration by insiders.

Practical Takeaways for Technical and Non-Technical Readers

For Technical Staff:

  • Ivanti Remediation: Apply RPM patches immediately. Reapply if the appliance version is upgraded.
  • Wiper Defense: Implement strict GPO hardening and limit Domain Admin privileges.
  • Log Monitoring: Centralize logs from SSO platforms and MDM solutions to detect anomalous login patterns.
  • Proxy Identification: Block known exit nodes of residential proxy networks like IPIDEA.

For Business Leaders:

  • Insider Risk: Review intellectual property access controls and monitor unusual data movement.
  • Third-Party Risk: Ensure vendors have documented processes for patching zero-day vulnerabilities within 24-48 hours.
  • Data Privacy: Understand that PII theft leads to long-term reputational damage and targeted phishing.
  • Incident Response: Ensure IR plans include “total loss” scenarios and maintain immutable backups.

PurpleOps Expertise in Modern Threat Mitigation

PurpleOps provides comprehensive security solutions designed to address the complexities of unauthenticated RCE and destructive malware. Our expertise in supply-chain risk monitoring ensures that vulnerabilities in platforms like Ivanti are identified and mitigated. Through our cyber threat intelligence platform, we provide the visibility needed to track actor TTPs.

Our dark web monitoring service allows for the proactive identification of leaked credentials, while our specialized penetration testing services identify weaknesses in MDM infrastructure. By integrating Protect Against Ransomware strategies, PurpleOps empowers technical teams to defend against destructive threats.

For more information on our capabilities, visit our service pages:

Frequently Asked Questions

How do I check if my Ivanti EPMM has been compromised?
Inspect the Apache access logs at /var/log/httpd/https-access_log using the regex pattern: ^(?!127\.0\.0\.1:\d+.*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404. Look for unexpected 404 responses or unauthorized admin changes.

What makes DynoWiper different from standard ransomware?
Unlike ransomware, which encrypts data for a ransom, DynoWiper is pure wiping malware designed for destruction. It overwrites files with random data and specifically excludes certain system folders to ensure it can finish wiping the drive before the system crashes.

Why do the Ivanti patches need to be reapplied after an upgrade?
The current RPM patches are interim fixes that modify the configuration of the appliance. These changes are overwritten during a full version upgrade. This requirement will remain until version 12.8.0.0 is released in late Q1 2026.

What is a residential proxy network like IPIDEA?
It is a network of legitimate consumer devices (phones, computers) that are used as “exit nodes” by others. Threat actors use these to hide their true location by routing traffic through a home user’s IP address, making the traffic appear legitimate to security filters.