Critical Ivanti EPMM Attacks Exploited RCE; Security Updates Released
Summary: Ivanti has disclosed two critical code injection vulnerabilities in its Endpoint Manager Mobile (EPMM) product that enable unauthenticated remote code execution and have been exploited in zero-day attacks.
| OEM | Ivanti |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2026-1281, CVE-2026-1340 |
| POC Available | No |
| Actively Exploited | Yes (Limited Customer during disclosure) |
| Exploited in Wild | Yes (Limited Customer during disclosure) |
| Advisory Version | 1.0 |
Overview
One of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog.
The flaws impact multiple versions 12.5.0.0 and prior, 12.6.0.0 and prior, 12.7.0.0 and prior. Ivanti confirmed a very limited number of customers exploited at disclosure.
CISA has added this CVE-2026-1281 in their known exploited vulnerabilities catalog. Administrators should use RPM scripts to mitigate the vulnerabilities for affected EPMM versions.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Code injection vulnerability in Ivanti Endpoint Manager | CVE-2026-1281 | Ivanti Endpoint Manager Mobile | Critical | For RPM 12.x.0.x (12.5.0.x – 12.7.0.x) For RPM 12.x.1.x (12.5.1.0, 12.6.1.0) |
| Code injection vulnerability in Ivanti Endpoint Manager | CVE-2026-1340 | Ivanti Endpoint Manager Mobile | Critical | For RPM 12.x.0.x (12.5.0.x – 12.7.0.x) For RPM 12.x.1.x (12.5.1.0, 12.6.1.0) |
Technical Summary
These code injection vulnerabilities in EPMM’s In-House Application Distribution and Android File Transfer Configuration features allow unauthenticated attackers to execute arbitrary code on the appliance.
Successful exploitation grants access to sensitive data including administrator/user credentials, email addresses, managed device details (phone numbers, IP addresses, IMEI, MAC addresses, installed apps), and GPS/location data if tracking is enabled.
Attackers can also modify device configurations via the EPMM API or web console.
Detection uses Apache access logs at /var/log/httpd/https-access_log with regex ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404 to identify external 404 responses to vulnerable endpoints (legitimate requests return HTTP 200). Compromised systems may have tampered logs which might prioritize off-device logging.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2026-1281 | Ivanti Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | Remote code execution (RCE) |
| CVE-2026-1340 | Ivanti Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | Remote code execution (RCE) |
Recommendations
Update Ivanti Endpoint Manager Mobile (EPMM) with the provided RPM hotfixes immediately.
- RPM_12.x.0.x Applicable versions: 12.5.0.x, 12.6.0.x and 12.7.0.x
- RPM_12.x.1.x Applicable Versions: 12.5.1.0 and 12.6.1.0
Here are some recommendations you can follow post hotfixes
- Reset passwords for local EPMM accounts, LDAP/KDC service accounts, and any internal/external service accounts integrated with EPMM.
- Revoke and replace the public certificate used by EPMM.
- Scan logs for exploitation indicators.
Conclusion:
These critical zero-day code injection vulnerabilities in Ivanti EPMM enable unauthenticated attackers to achieve remote code execution, potentially compromising managed device data.
Immediate RPM hotfix deployment, thorough log analysis is essential to secure mobile device management infrastructure before broader exploitation occurs.
References:
Recent Comments