All news with #ivanti tag

🔒 Ivanti, Fortinet, SAP, VMware, n8n and dozens of other vendors have released security updates addressing multiple high- and critical-severity flaws that enable authentication bypass, information disclosure, local privilege escalation, and remote code execution. Highlights include a critical Ivanti Xtraction file-name control flaw (CVE-2026-8043), Fortinet authentication and sandbox execution bugs, SAP SQL injection and missing-auth issues, and a TOCTOU local privilege escalation in VMware Fusion. Administrators should prioritize applying the vendor-recommended patches immediately.

⚡ This weekly recap highlights a string of active campaigns and exploited flaws affecting enterprise and cloud environments. Attackers weaponized vulnerabilities in Ivanti EPMM and Palo Alto PAN-OS, while a new modular Linux implant dubbed Quasar Linux (QLNX) pairs a kernel rootkit with a P2P mesh to resist takedowns. Several supply-chain compromises and credential-stealing campaigns are targeting cloud and developer tooling, and threat actors increasingly abuse legitimate RMM platforms for persistence.

🔐 Ivanti disclosed five vulnerabilities in its on‑premises Endpoint Manager Mobile (EPMM) suite, and one—CVE-2026-6973—has been added to CISA’s Known Exploited Vulnerabilities Catalog due to active exploitation. Updated EPMM releases resolving the issues are available and administrators are urged to apply patches and rotate administrative credentials immediately. The defects include improper input validation, access control failures, and certificate validation errors, and Ivanti says it is using AI tools to help identify additional vulnerabilities. Organizations should also review enrollment settings such as Apple Device Enrollment and assess whether legacy on‑premises MDM fits a Zero Trust model.

⚠ CISA has ordered U.S. federal agencies to patch a high-severity vulnerability in Ivanti Endpoint Manager Mobile within four days after the flaw was observed exploited as a zero-day (CVE-2026-6973). Ivanti published updates (12.6.1.1, 12.7.0.1, 12.8.0.1) and urged customers to review and rotate Admin credentials. The issue requires administrative authentication, affects only on-prem EPMM appliances, and Shadowserver reports over 800 exposed instances online.

🛡️ Ivanti warns of a high-severity flaw, CVE-2026-6973 (CVSS 7.2), in Endpoint Manager Mobile (EPMM) that has been observed in limited active exploitation and permits remote code execution for remotely authenticated users with administrative access. The issue affects on-premises EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 and was released alongside patches for four additional vulnerabilities. CISA added CVE-2026-6973 to its KEV catalog with a May 10, 2026 remediation deadline; Ivanti advises applying updates and rotating credentials as appropriate.

🔒 Ivanti is urging customers to patch a high-severity remote code execution flaw (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) after limited zero-day exploitation. The weakness stems from improper input validation and affects on-prem EPMM 12.8.0.0 and earlier; Ivanti released fixes in 12.6.1.1, 12.7.0.1, and 12.8.0.1 and recommends reviewing and rotating admin credentials. The vendor also patched four additional high-severity EPMM issues and noted that Shadowserver currently sees over 850 exposed EPMM hosts online.

🔔 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-6973, an Ivanti Endpoint Manager Mobile (EPMM) improper input validation flaw. CISA cites evidence of active exploitation and emphasizes the significant risk this class of vulnerability poses to the federal enterprise. The agency reminds FCEB agencies of remediation requirements under BOD 22-01 and strongly urges all organizations to prioritize timely fixes.

⚠️ CISA has ordered U.S. federal agencies to remediate a critical Ivanti Endpoint Manager Mobile flaw (CVE-2026-1340) that has been exploited since January. The agency added the bug to its Known Exploited Vulnerabilities catalog and invoked BOD 22-01, giving agencies until Saturday, April 11 to patch or mitigate affected systems. Ivanti released fixes on January 29 and urged all customers to update immediately.

⚠️ CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The agency notes that code injection is a common, high-risk attack vector with significant implications for federal networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate identified KEV entries by the required deadlines, and CISA urges all organizations to prioritize timely fixes to reduce exposure.

🔒 A threat actor tracked as Storm-2561 is distributing spoofed enterprise VPN clients impersonating vendors such as Ivanti, Cisco, and Fortinet to harvest corporate VPN credentials. The campaign uses SEO poisoning to push victims to convincing fake vendor pages that link to a GitHub-hosted ZIP containing a malicious MSI installer. When run, the installer places a fake Pulse.exe, drops a loader (dwmapi.dll) and a Hyrax infostealer variant (inspector.dll), captures credentials and configuration files, then displays an installation error and redirects victims to the legitimate vendor site to avoid immediate suspicion.

⚠️ CISA warns that an authentication-bypass bug in Ivanti Endpoint Manager (CVE-2026-1603), patched Feb. 9, is being actively exploited to leak stored credentials. The agency also added related SolarWinds and VMware defects to its Known Exploited Vulnerabilities catalog. CISA updated an emergency directive for Cisco SD‑WAN flaws (CVE-2026-20127, CVE-2022-20775), citing signs of long-running exploitation and imposing new reporting and log-submission requirements for federal agencies, including a March 26 deadline.

🔴 CISA has added a recently patched Ivanti Endpoint Manager vulnerability (CVE-2026-1603) to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate within three weeks. The flaw allows unauthenticated remote actors to bypass authentication and exfiltrate credentials via low-complexity cross-site scripting. Ivanti released EPM 2024 SU5 last month, which also addressed an SQL injection issue, and says it has no confirmed reports of exploitation while Shadowserver still tracks over 700 Internet-facing instances.

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on Mar 10, 2026, citing evidence of active exploitation in SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace One UEM. Federal civilian agencies were ordered to apply the SolarWinds fix by March 12 and remediate the other two flaws by March 23. The issues include a critical deserialization bug (CVE-2025-26399), an authentication bypass (CVE-2026-1603), and an SSRF (CVE-2021-22054) tied to ongoing threat activity.

⚠️ CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2021-22054 (Omnissa Workspace ONE SSRF), CVE-2025-26399 (SolarWinds Web Help Desk insecure deserialization), and CVE-2026-1603 (Ivanti Endpoint Manager authentication bypass). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate listed KEV entries by the specified deadlines. CISA strongly urges all organizations to prioritize timely patching and mitigation to reduce exposure to active exploitation.

🔒 CISA warns that the RESURGE implant can remain latent on Ivanti Connect Secure devices, evading detection by awaiting a specific inbound TLS connection rather than beaconing to a command-and-control server. The 32-bit Linux Shared Object libdsupgrade.so hooks the web process, inspects TLS packets using a CRC32 fingerprint, and authenticates attackers with a forged Ivanti certificate. The agency notes related tools like liblogblock.so for log tampering and a kernel extraction script, and it urges administrators to use updated IoCs and hashes to discover and remove dormant infections.

🔒 CISA released an updated Malware Analysis Report detailing new findings on RESURGE, a sophisticated implant that exploits vulnerabilities to establish covert SSH-based command-and-control access. The update shows advanced network-level evasion, forged TLS certificates, and authentication techniques that allow RESURGE to remain dormant on Ivanti Connect Secure devices until an operator connects, evading routine scans. CISA publishes IOCs, detection signatures, and directs use of mitigation guidance for CVE-2025-0282 to aid defenders.

🔴 Palo Alto Networks' Unit 42 warns that threat actors are actively exploiting two critical zero-day vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — in Ivanti Endpoint Manager Mobile (EPMM). Both flaws allow unauthenticated remote code execution, enabling attackers to seize MDM appliances and install web shells, cryptominers, or persistent backdoors that can survive initial patching. Unit 42 says more than 4,400 EPMM instances are internet-exposed, proof-of-concept exploits are public, and multiple sectors and countries have been targeted.

🚨 Unit 42 reports two critical zero-day RCEs in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — are being actively weaponized. Both flaws arise from unsafe legacy bash script usage invoked via Apache RewriteMap and permit unauthenticated command execution through specially crafted HTTP GET requests. Observed activity includes reverse shells, JSP web shells, deployment of monitoring agents/cryptominers, and follow-on persistence. Apply vendor RPM patches immediately, hunt for web shells and backdoors, and engage incident response if compromise is suspected.

🛡️ GreyNoise telemetry indicates a single IP hosted by PROSPERO OOO is responsible for roughly 83% of active exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM), targeting CVE-2026-21962 and CVE-2026-24061. Between Feb 1–9 researchers observed 417 exploit sessions from eight source IPs, with a sharp spike on Feb 8. Activity appears automated, using OAST-style DNS callbacks consistent with initial access broker behavior; Ivanti has released hotfixes and will issue full patches in Q1.

🔍 GreyNoise attributes 83% of exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM) to a single IP hosted on PROSPERO bulletproof infrastructure. Between Feb 1–9, 2026 it recorded 417 sessions from eight source IPs, with 346 sessions from 193.24.123[.]42. Activity targeted CVE-2026-1281 (CVSS 9.8), showed automated tooling patterns and DNS OAST callbacks, and involved rotation through 300+ user-agent strings. Defused Cyber also reported a dormant "/mifs/403.jsp" sleeper shell deployed to some EPMM instances.