- 74/2026
- Critical
Investigation confirmed successful web shell execution following the exploitation of Ivanti zero-day vulnerabilities (CVE-2026-1340 and CVE-2026-1281) on multiple organizations’ internet-facing Ivanti Endpoint Manager Mobile (EPMM) servers.
- Reference to Alert No. 18, “Ivanti Security Update – 01 February 2026”, EGFinCIRT requests a comprehensive Compromise Assessment for Ivanti Endpoint Manager Mobile (EPMM) servers.
- Attackers might take advantage of RCE vulnerabilities to upload a web shell (e.g., .jsp, .aspx, .php) or drop a lightweight backdoor.
- Since no authentication is required, it is interesting direct attack surface for attackers.
- Exploitation occurs via crafted HTTP requests to exposed EPMM features (e.g., app distribution/file transfer endpoints).
- Attackers inject OS-level commands for CVE-2026-1281, specifically abusing Bash arithmetic expansion in backend processing.
- Attackers deploy “sleeper” web shells that do not beacon immediately and blend into legitimate application files.
- Attackers will then attempt to escalate their privileges, establish persistence, and move laterally across the victim’s network.
Vulnerabilities
- CVE-2026-1340
- CVE-2026-1281
Mitigations
- EG-FinCIRT mandates all constituents to immediately prepare/implement a comprehensive Compromise Assessment for Ivanti Endpoint Manager Mobile (EPMM) servers and reply with results as soon as possible.
- Each organization is mandated to do the following:
o Hunt for web shells and modified WAR/JSP files.
o Monitor Web server spawning shell processes.
o Use file integrity monitoring on Web application directories.
o Inspect for Dormant or low-noise persistence mechanisms.
References
Egyptian Financial Computing Incident Response Team (EG-FinCIRT).