サイバーニュース.jp

世界のサイバーなニュースを配信

Critical Ivanti EPMM Vulnerabilities Expose Systems to Arbitrary Code Execution Attacks

カテゴリ:

Introduction

In February 2026, threat actors exploited two critical remote code execution (RCE) vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). A recent investigation by WithSecure’s STINGR Group revealed that attackers used highly automated methods to exfiltrate sensitive data from compromised servers within seconds.

Vulnerability Details

These zero-day vulnerabilities allow unauthenticated attackers to execute arbitrary code on the system hosting the affected software. The two critical vulnerabilities are:

  • CVE-2026-1281: A pre-authentication RCE flaw with a CVSS v3 score of 9.8.
  • CVE-2026-1340: Another pre-authentication RCE vulnerability, also carrying a critical severity score of 9.8.

The Hit-and-Run Exploitation Strategy

Threat actors opportunistically scanned the internet for vulnerable EPMM servers by sending specially crafted HTTP GET requests to confirm if targets were vulnerable before proceeding with attacks.

Attack Methodology

During reconnaissance, attackers used time-based commands such as sleep calls to verify vulnerabilities. Successful attacks installed a Java-based webshell within the system’s 403.jsp error page by appending a base64-encoded payload, allowing execution of commands with root privileges.

Data Exfiltration

On February 9th, an attacker completed a full-system compromise and data exfiltration in exactly six seconds. The threat actor used components from AntSword, an open-source offensive web framework, to streamline the attack process.

  • The initial HTTP request installed the webshell.
  • Subsequent requests loaded compiled Java classes into memory.

A first payload was designed for reconnaissance, collecting basic system information such as the operating system and user directories. A secondary payload required a newer Java runtime to execute terminal commands directly as the root user.

Data Theft Details

Using persistent access, attackers executed targeted commands to dump seven tables from the Ivanti MIFs database containing credentials, device metadata, and sensitive information belonging to managed mobile devices. System configuration files were also archived for rapid exfiltration via simple HTTP requests.

Covering Tracks

Following data theft, attackers deleted local files to cover their tracks, highlighting the severe risks associated with zero-day exploitation.

元記事: https://gbhackers.com/critical-ivanti-epmm-vulnerabilities/

投稿をさらに読み込む