France CERT-FR Alerts

Ivanti EPMM Critical Vulnerabilities CVE-2026-1281 CVE-2026-1340

Ivanti has disclosed critical vulnerabilities CVE-2026-1281 and CVE-2026-1340 in Endpoint Manager Mobile (EPMM) affecting versions 12.5.0.x through 12.7.0.x without the relevant RPM patch scripts. The vulnerabilities allow unauthenticated remote code execution and are being actively exploited in targeted attacks. On February 6 2026 Ivanti released RPM scripts to detect indicators of compromise and published an analysis guide detailing HTTP request patterns and persistence mechanisms to search for in Apache access logs.

F5 BIG-IP APM RCE Vulnerability Actively Exploited

CERT-FR issued an alert on March 31, 2026 confirming that CVE-2025-53521, a critical remote code execution vulnerability in F5 BIG-IP Access Policy Manager, is being actively exploited in the wild as of March 29, 2026. The vulnerability affects all modules across versions 15.1.x prior to 15.1.10.8, 16.1.x prior to 16.1.6.1, 17.1.x prior to 17.1.3, and 17.5.x prior to 17.5.1.3. The alert provides detailed compromise indicators including specific file paths (/run/bigtlog.pipe, /run/bigstart.ltm), file hash discrepancies for /usr/bin/umount and /usr/sbin/httpd, and suspicious log entries in /var/log/restjavad-audit and /var/log/audit. CERT-FR recommends organisations conduct compromise assessments using F5's published indicators and apply available patches from F5 security bulletin K000156741.

Alert: Targeting of Instant Messaging Accounts Campaign

ANSSI and CERT-FR issued an alert on March 20, 2026 identifying increased cyberattack campaigns targeting instant messaging accounts in France. The attacks, attributed to joint work by the Centre de Coordination des Crises Cyber (C4), primarily target political figures, government executives, and civil society members in sensitive positions such as journalists and industrialists. Successful attacks allow threat actors to access conversation histories, take control of accounts, and send messages while impersonating victims. The alert was closed on April 20, 2026 but the agency notes the threat continues.