Lead Story | Critical | IT Ops · Mobile · Enterprise |
|
Your MDM Manages Every Mobile Device in Your Organization. Ivanti EPMM Let Attackers Into the Console Without a Password — and the Patch Disappears Every Time You Update.
Two zero-days in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8 — allow any unauthenticated attacker to run arbitrary commands on the platform that manages your organization’s enrolled devices, push certificates, email accounts, and compliance policies. Approximately 1,600 EPMM instances remain reachable on the public internet. Exploitation was confirmed before disclosure, and mass scanning and exploitation activity has continued through March 2026. Ivanti released a temporary hot-fix — but it is silently removed every time you apply a subsequent EPMM version update. If you applied the patch and then updated EPMM, you are likely vulnerable again.
CVE-2026-1281 and CVE-2026-1340 both stem from the same class of vulnerability: unsafe evaluation of attacker-controlled input inside server-side Bash scripts. Ivanti EPMM’s web-accessible endpoint accepts incoming requests and passes parts of the URL path into a shell script for processing. Due to a Bash arithmetic expansion bug, an attacker-controlled string embedded in the path is interpreted by the shell as executable code. The server runs it. CVE-2026-1281 exploits paths beginning with /mifs/c/appstore/fob/; CVE-2026-1340 exploits a parallel path in EPMM’s Android File Transfer mechanism. Both require no authentication, no credentials, and no interaction from any EPMM user. Unit 42 and watchTowr independently published technical analyses confirming the vulnerability mechanism and demonstrating working remote code execution.
CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on January 29, 2026, the same day Ivanti disclosed the flaws publicly, and set a three-day federal remediation deadline of February 1. Exploitation was confirmed prior to disclosure — Ivanti acknowledged in-the-wild use before the advisory was published. The Shadowserver Foundation subsequently detected approximately 1,600 internet-exposed EPMM instances, and Telekom Security documented mass scanning and exploitation attempts continuing through March 2026, with individual actors observed targeting over 500 distinct machines. The Shadowserver data suggests a meaningful share of those 1,600 instances have not yet received a working permanent fix.
The remediation picture is unusually complicated. Ivanti initially released hot-fix patches for EPMM versions 11.10, 11.9, and earlier series. The critical issue: if an organization applied one of those hot-fixes and subsequently updated EPMM to any newer minor or major version, the hot-fix code was overwritten and the vulnerability was re-introduced. Ivanti has acknowledged this behavior and committed to including a permanent, update-safe fix in EPMM version 12.8.0.0, which was scheduled for Q1 2026 release. Organizations that applied the earlier hot-fix and later upgraded EPMM should treat their environment as unpatched until version 12.8.0.0 has been confirmed installed. Rapid7 has published a detection module; CrowdSec offers a real-time blocklist of known EPMM exploitation sources.
The consequence of EPMM compromise extends well beyond the server itself. Ivanti Endpoint Manager Mobile is the platform that enrolls devices, distributes MDM profiles, maintains the Apple Push Notification Service certificates and Google FCM authentication keys that allow your MDM to communicate with enrolled devices, manages application deployment and VPN configuration, and records compliance posture for every enrolled device in an organization. An attacker with RCE on the EPMM server can enumerate the complete enrolled device inventory, read MDM enrollment credentials, and potentially push malicious profiles to enrolled devices — all through the management interface that your IT team uses to monitor and protect mobile endpoints. Sectors confirmed as affected include healthcare, government, finance, technology, manufacturing, retail, and logistics. Unit 42 has observed active exploitation targeting organizations in the United States, Germany, Australia, and Canada.
→ Key Takeaway Verify whether Ivanti EPMM 12.8.0.0 — the first release containing a permanent fix — is now available, and upgrade immediately if it is. If your current build is an earlier version with a hot-fix applied, check your exact build number: any EPMM version update applied after the hot-fix silently removed the fix and left you vulnerable. Verify with Ivanti’s support portal which builds contain the permanent patch. Check the Shadowserver EPMM dashboard to see whether your external EPMM IP appears in their exposure list. Review EPMM server outbound connection logs for unexpected destinations. If you cannot immediately upgrade, restrict EPMM’s management interface to trusted network segments and monitor for anomalous MDM profile push activity. CVE-2026-1281 is in CISA’s Known Exploited Vulnerabilities catalog and confirmed actively exploited — this is not a theoretical risk. |
Quick Hits
| 01 |
SolarWinds Web Help Desk Is on Its Third Consecutive Patch Bypass — and Warlock Ransomware Is Actively Exploiting It
CVE-2025-26399 (CVSS 9.8) is the third iteration of the same deserialization vulnerability in SolarWinds Web Help Desk’s AjaxProxy component: CVE-2024-28986 was the original flaw, CVE-2024-28988 was a bypass of the first patch, and CVE-2025-26399 is a bypass of the second. Each time, researchers discovered that the sanitization applied only when the request URI contained the string /ajax/; removing that substring from the path entirely skips the check. An unauthenticated attacker sends a crafted serialized Java object to the endpoint and achieves remote code execution on the WHD server. CISA added CVE-2025-26399 to the KEV catalog on March 9, 2026 following confirmed active exploitation by the Warlock ransomware crew. Post-compromise activity observed in Warlock campaigns includes deploying QEMU virtual machines to establish SSH backdoors and using Cloudflare tunnels for command-and-control — two techniques specifically designed to evade network-layer detection. Your IT help desk platform holds password reset workflows, infrastructure topology tickets, and credential data. If you are running WHD 12.8.7 or earlier, upgrade to version 12.8.7 HF1 or the 2026.1 release. Huntress →
| Critical | IT Ops · Enterprise |
|
| 02 |
Windows RDS Zero-Day CVE-2026-21533 Turns Any Low-Privilege Account into SYSTEM — Confirmed Targeting Canadian and U.S. Organizations
CVE-2026-21533 (CVSS 7.8) is an elevation-of-privilege zero-day in Windows Remote Desktop Services that was patched in February 2026’s Patch Tuesday and immediately added to CISA’s Known Exploited Vulnerabilities catalog. CrowdStrike, who discovered and reported the flaw, observed a working exploit binary that manipulates a service configuration registry key — substituting it with an attacker-controlled value to execute arbitrary code as SYSTEM. The attack requires only that the adversary already holds a low-privilege account or code execution foothold on the target machine; from there, reaching SYSTEM is a single-step escalation. CrowdStrike’s telemetry placed in-the-wild exploitation as far back as late December 2025, with confirmed targeting of both U.S. and Canadian organizations. In environments that rely on Remote Desktop for VDI access, jump servers, or legacy application delivery, this flaw allows ransomware operators to convert any phished credential or initial access purchase into full domain-level control. The federal remediation deadline under BOD 22-01 was March 3; February’s cumulative update contains the fix. Cybersecurity News →
| High | Windows · IT Ops · Enterprise |
|
CVE Watch
|
Patch of the Day
Microsoft Excel’s Copilot Agent Bug Exfiltrates Your Workbook Data Without Opening the File
CVE-2026-26144 is an XSS vulnerability in Microsoft Excel where user-controlled content within a workbook is not correctly sanitized before Excel processes it for rendering. The practical consequence is novel: the malformed content causes Microsoft’s Copilot Agent mode to make outbound network requests that carry workbook data to an attacker-controlled endpoint. No macro execution, no file opening, and no user interaction beyond the workbook reaching the preview pane is required. Microsoft’s advisory confirms the zero-click nature of the disclosure path and describes the attack as requiring only network access — the attacker does not need a foothold on the victim’s machine. In enterprise environments where Excel workbooks routinely contain financial forecasts, M&A data, client lists, or payroll records, a malicious workbook delivered by email and previewed in Outlook’s reading pane is sufficient to trigger exfiltration. Microsoft rated the vulnerability Critical despite the CVSS 7.5 base score. No confirmed in-the-wild exploitation has been reported as of publication, but the technique represents an emerging class of AI tool weaponization in which an AI agent’s legitimate network access becomes an exfiltration path — one that traditional DLP sensors and SIEM rules are not yet tuned to detect. The fix is included in the March 10, 2026 Patch Tuesday update for Microsoft 365 Apps.
| Vendor: Microsoft · Patched: March 10, 2026 (Patch Tuesday) · Exploited: No confirmed in-the-wild exploitation; technique is novel |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — DE.CM — Detect: Continuous Monitoring
The Tool You Use to Monitor Employee Devices Is the One Attackers Wanted Most
DE.CM-03 requires organizations to monitor personnel activity and technology usage to find potentially adverse events. In most mobile-first environments, that function depends entirely on your MDM platform: device compliance status, application inventory, network connection logs, and enrollment credentials all flow through it. CVE-2026-1281 and CVE-2026-1340 illustrate the blind spot this creates. If an attacker achieves pre-auth RCE on your EPMM server before your team detects the compromise, they can read your enrolled device inventory, intercept MDM profile changes, and — in some configurations — push malicious profiles to enrolled devices. They do not need to compromise individual devices; they compromised the platform that monitors them. Your DE.CM function is only as reliable as the security posture of the tools you use to implement it. Action: Treat your MDM server as Tier 0 infrastructure alongside your domain controllers and identity providers. Restrict network access to the EPMM management interface to trusted segments. Enable detailed audit logging on MDM profile changes and administrative API calls. Set up alerting for any EPMM process making unexpected outbound connections. And verify — build number by build number — that your current EPMM installation actually contains the permanent fix and not a hot-fix that was silently removed by a subsequent update.
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: Ivanti Security Advisory (CVE-2026-1281, CVE-2026-1340), ivanti.com · Unit 42 / Palo Alto Networks (Ivanti EPMM RCE analysis), unit42.paloaltonetworks.com · watchTowr Labs (Bash arithmetic expansion analysis), labs.watchtowr.com · Rapid7 (Ivanti EPMM zero-day ETR), rapid7.com · CISA KEV catalog (CVE-2026-1281 added January 29, 2026), cisa.gov/kev · Telekom Security (mass exploitation, March 2026), github.security.telekom.com · Shadowserver Foundation (1,600 exposed EPMM instances), shadowserver.org · Huntress (CVE-2025-26399 active exploitation), huntress.com · NetSPI (CVE-2025-26399 patch bypass analysis), netspi.com · CISA KEV catalog (CVE-2025-26399 added March 9, 2026), cisa.gov/kev · CrowdStrike (CVE-2026-21533 discovery and exploitation telemetry), crowdstrike.com · Cybersecurity News (CVE-2026-21533 analysis), cybersecuritynews.com · CISA KEV catalog (CVE-2026-21533 added February 10, 2026), cisa.gov/kev · The Register (CVE-2026-26144 Excel Copilot zero-click), theregister.com · TechRadar (CVE-2026-26144 analysis), techradar.com · Microsoft Security Update Guide (March 2026 Patch Tuesday), msrc.microsoft.com · NIST CSF 2.0, nist.gov/cyberframework |
|
