All news with #ivanti tag

🔒 The European Commission disclosed a late-January cyberattack that targeted its mobile device management (MDM) platform. Attackers may have accessed names and phone numbers of some staff, though the Commission says there is no evidence that mobile devices themselves were compromised; the incident was contained and the system cleaned within nine hours. Investigators say the breach could be linked to actively exploited vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), with public exploit code and high-severity CVEs reported.

🔒 Several European government bodies reported breaches tied to a coordinated exploitation of Ivanti EPMM zero-day vulnerabilities disclosed on 29 January. Affected organizations include the European Commission, Finnish central agencies and at least two Dutch bodies, with as many as 50,000 Finnish staff details potentially exposed. Compromised data appears limited to names, work emails, phone numbers and device metadata; no device-level data has been confirmed. Authorities contained the incidents quickly, but security teams warn of elevated follow-on risks such as spearphishing, credential misuse and malicious configuration changes, and advise reassessing administrative credentials, keys and certificates.

🔒 Dutch authorities confirmed the Dutch Data Protection Authority (AP) and the Council for the Judiciary reported system intrusions tied to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Investigators say unauthorized actors accessed work-related data such as names, business email addresses, phone numbers and device details. The European Commission and Finland's Valtori also reported traces or breaches, with Valtori estimating up to 50,000 government employees affected.

🔒 The European Commission is investigating a breach after detecting traces of a cyberattack against its mobile device management platform on 30 January. The incident may have exposed some staff names and mobile numbers, but investigators say there is no evidence that individual mobile devices were compromised. The Commission says the affected system was contained and cleaned within nine hours. The activity is believed to be linked to exploitation of Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities.

🔒 Ivanti released stand‑alone RPM patches for Endpoint Manager Mobile (EPMM) to fix two unauthenticated code‑injection vulnerabilities, CVE-2026-1281 and CVE-2026-1340, each rated 9.8 by CVSS. The flaws affect EPMM’s In‑House Application Distribution and Android File Transfer Configuration features and are already being exploited in a limited number of customer environments. Administrators must manually install version-specific RPMs; Ivanti says a permanent fix will arrive in the 12.8.0.0 release.

⚠️ Ivanti has released security updates addressing two critical zero-day code-injection flaws in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) — which enable unauthenticated remote code execution and have been observed in limited attacks. One of the defects, CVE-2026-1281, was added to CISA’s KEV catalog, imposing a Federal remediation deadline of February 1, 2026. A temporary RPM patch is available for affected 12.x releases but does not persist through upgrades; Ivanti plans a permanent fix in EPMM 12.8.0.0 due Q1 2026. Customers are urged to check Apache access logs using the provided regex, inspect administrative and configuration changes, and restore or rebuild compromised appliances if indicators of attack are found.

⚠ Ivanti disclosed two critical code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both rated 9.8 and observed in limited zero-day exploitation. The flaws allow unauthenticated remote arbitrary code execution and exposure of administrator, user, and managed-device data. Ivanti published RPM hotfixes to mitigate affected builds, advised immediate application, and warned hotfixes must be reapplied after upgrades until a permanent 12.8.0.0 fix is released in Q1 2026.

🔔 CISA added CVE-2026-1281, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog after confirmed active exploitation in the wild. The advisory notes that code injection is a common and dangerous attack vector that can enable unauthorized execution and data compromise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by set deadlines, and CISA strongly urges all organizations to prioritize timely remediation.

🔒 Ivanti has released a critical patch for an unauthenticated Cross-Site Scripting (XSS) flaw in EPM that can allow attackers to inject malicious device scan data via the incoming API and execute JavaScript in administrator dashboards, enabling full admin-session takeover. The vendor shipped EPM 2024 SU4 SR1 to address CVE-2025-10573 (CVSS 9.6) and other arbitrary-code and file-write vulnerabilities; Ivanti said it had not observed customer exploitation at disclosure.

⚠️ Researchers found that .NET HTTP client proxy classes will accept file:// and other non-HTTP schemes, invoking the filesystem handler and enabling attacker-controlled writes to arbitrary files. This unexpected behavior enabled proof-of-concept remote code execution via web shells and malicious PowerShell scripts in multiple products, including Barracuda, Ivanti, Umbraco, Microsoft PowerShell, and SQL Server Integration Services. Microsoft says it will not change the Framework behavior and places responsibility on application developers to avoid passing untrusted URLs and to validate WSDL imports.

🛡️WatchTowr Labs has disclosed SOAPwn, an "invalid cast" vulnerability in the .NET Framework that lets attackers abuse WSDL imports and dynamically generated SOAP client proxies to write files and achieve remote code execution. The issue impacts products including Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. Barracuda addressed the flaw in Service Center RMM 2025.1.1 (CVE-2025-34392, CVSS 9.8) and Ivanti issued fixes in EPM 2024 SU4 SR1 (CVE-2025-13659, CVSS 8.8). Researchers presented the findings at Black Hat Europe after disclosures in March 2024 and July 2025.

🔒 Ivanti released EPM 2024 SU4 SR1 to address a critical stored XSS vulnerability (CVE-2025-10573) that lets unauthenticated attackers hijack administrator sessions by submitting malicious device scan data to the incoming API. The update also fixes three high-severity flaws that can enable code execution with user interaction and an issue that permits unauthorized file writes. Ivanti said reports came through its responsible disclosure program and it was not aware of active exploitation at disclosure. Organizations with internet-facing or high-privilege EPM instances should apply the patch immediately and isolate management interfaces until updated.

🔐 Fortinet, Ivanti, and SAP have released urgent patches to address high-severity authentication and code-execution flaws affecting FortiOS, FortiWeb, FortiProxy, FortiSwitchManager, Ivanti Endpoint Manager, and multiple SAP products. Fortinet's issues (CVE-2025-59718, CVE-2025-59719; CVSS 9.8) can allow FortiCloud SSO bypass via crafted SAML messages when that feature is enabled. Ivanti patched a stored XSS (CVE-2025-10573; CVSS 9.6) and additional bugs that could lead to remote code execution, while SAP's update remedies three critical flaws including a 9.9 CVSS code injection. Administrators are urged to apply vendor updates or temporarily disable affected features until systems are patched.

⚠️ Ivanti is urging customers to patch a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) that allows unauthenticated remote actors to execute arbitrary JavaScript via low-complexity cross-site scripting that requires user interaction. Reported by Rapid7, the flaw lets attackers join fake managed endpoints to poison administrator dashboards and hijack admin sessions when viewed. Ivanti released EPM 2024 SU4 SR1 and addressed three other high-severity bugs, while Shadowserver reports hundreds of Internet-facing EPM instances.

🔒 Enterprises' network edge devices — firewalls, VPNs, routers, and email gateways — are increasingly being exploited due to longstanding 1990s‑era flaws such as buffer overflows, command and SQL injections. Researchers tracked dozens of zero‑day exploits in 2024 and continuing into 2025 that affected vendors including Fortinet, Palo Alto Networks, Cisco, Ivanti, and others. These appliances are attractive targets because they are remotely accessible, often lack endpoint protections and centralized logging, and hold privileged credentials, making them common initial access vectors for state‑affiliated actors and ransomware groups.

🔒 At it-sa vendors unveiled a slate of security, privacy and access offerings aimed at strengthening enterprise controls. Salesforce expanded its AI Agentforce into the Security Center and Privacy Center to automate threat detection, incident remediation and compliance prioritization. Ivanti reengineered Connect Secure 25.x with a security‑by‑design architecture including SELinux, WAF, secure boot and disk encryption. Additional launches included Samsung Knox mobile credentials, KOBIL mPower and a Zurich/Deutsche Telekom cyber insurance plus MDR integration.

🔒 A Chinese state-sponsored group tracked as RedNovember carried out a global espionage campaign from June 2024 to July 2025, compromising defense contractors, government agencies, and major corporations by exploiting internet-facing network appliances. The attackers rapidly weaponized disclosed flaws in devices from SonicWall, Ivanti, Cisco, F5, Sophos, and Fortinet, often within 72 hours of public exploit code. They deployed Go-based tools including Pantegana, Cobalt Strike, and SparkRAT, and relied on open-source tooling and legitimate services to obfuscate attribution and maintain persistent access.

🛡️ Mandiant and Google’s Threat Intelligence Group report that the China‑nexus cluster UNC5221 has delivered the Go‑based backdoor BRICKSTORM to U.S. legal, SaaS, BPO, and technology organizations, frequently exploiting Ivanti Connect Secure zero‑days. BRICKSTORM uses a WebSocket C2, offers file and command execution, and provides a SOCKS proxy to reach targeted applications. The campaign prioritizes long, stealthy persistence on appliances that lack traditional EDR coverage, enabling lateral movement and access to downstream customer environments.

🔍 CISA released a technical analysis of malware used in attacks exploiting two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The agency details two distinct malware sets that used a common web-install.jar loader and malicious listener classes to inject and execute code, exfiltrate data, and maintain persistence. Attackers targeted the /mifs/rs/api/v2/ endpoint via HTTP GET requests with a ?format= parameter, delivering segmented, Base64-encoded payloads. CISA published IOCs, YARA and SIGMA rules and advises immediate patching and treating MDM systems as high-value assets.

🔒 CISA released details of two malicious toolsets found on an organization's server after attackers chained zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Each set contains a Java loader that installs an HTTP listener to decode, decrypt and execute arbitrary payloads and maintain persistence. CISA urges updating EPMM, monitoring for suspicious activity, and restricting access to MDM systems.