Critical Vulnerabilities in Ivanti Endpoint Manager Mobile Exploited in Active Attacks
Ivanti’s Endpoint Manager Mobile (EPMM) platform has recently been found to contain two critical code-injection vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340. These flaws are currently being actively exploited in real-world attacks, posing significant risks to organizations utilizing affected versions of EPMM.
Understanding the Vulnerabilities
Both CVE-2026-1281 and CVE-2026-1340 are code-injection vulnerabilities that allow unauthenticated attackers to execute arbitrary code remotely on vulnerable systems. These vulnerabilities have been assigned a maximum Common Vulnerability Scoring System (CVSS) severity score of 9.8, indicating their critical nature. The affected EPMM versions include 12.5.0.0, 12.6.0.0, and 12.7.0.0.
The attack vector for these vulnerabilities is network-based, requiring no authentication or user interaction. This low-complexity attack enables threat actors to compromise vulnerable EPMM instances remotely with minimal effort. Successful exploitation grants attackers complete control over the confidentiality, integrity, and availability of affected systems.
Active Exploitation and Impact
According to Ivanti’s security advisory published on January 29, 2026, the company is aware of a limited number of customer environments that have already been compromised at the time of disclosure. The active exploitation of these vulnerabilities underscores the urgency for organizations to address these security flaws promptly.
The exploitation of these vulnerabilities can lead to severe consequences, including unauthorized access to sensitive data, disruption of services, and potential lateral movement within the network. Organizations relying on EPMM for device management and security are particularly at risk, as attackers can leverage these vulnerabilities to gain control over managed devices and the core server.
Mitigation Measures and Recommendations
Ivanti has released version-specific RPM patches to address these security flaws. These temporary patches require no system downtime and do not impact feature functionality. However, administrators must reapply the RPM script after version upgrades. The permanent fix is scheduled for release in version 12.8.0.0 in the first quarter of 2026.
Organizations running EPMM should immediately apply the version-specific RPM patches available through Ivanti’s support portal. Customers using versions 12.5.0.x through 12.7.0.x require RPM 12.x.0.x, while those on 12.5.1.0 or 12.6.1.0 should deploy RPM 12.x.1.x. Only one patch is needed based on the deployed version.
Ivanti recommends that security-conscious organizations consider rebuilding EPMM environments and migrating data to replacement systems as the most conservative remediation approach. The company has provided technical analysis documentation with forensic guidance, though reliable indicators of compromise remain unavailable as investigations continue.
Notably, other Ivanti products, including Endpoint Manager (EPM), Neurons for MDM, and Sentry appliances, are not affected by these vulnerabilities.
Broader Context and Historical Vulnerabilities
This is not the first time Ivanti’s EPMM has been found to contain critical vulnerabilities. In August 2023, Ivanti disclosed a maximum-severity vulnerability, CVE-2023-35082, in its EPMM solution. This vulnerability allowed remote unauthenticated API access, potentially leading to the theft of users’ personally identifiable information and limited changes to the server. Ivanti stated that it did not believe the flaw had been exploited in the wild at that time.
In July 2023, another critical authentication bypass vulnerability, CVE-2023-35078, was discovered in Ivanti EPMM. This vulnerability allowed unauthenticated access to specific API paths in the EPMM system, enabling unauthorized users to access restricted functionality or resources without proper authentication. The vulnerability was particularly concerning as it affected internet-facing systems, with the Shadowserver project identifying 2,729 vulnerable IP addresses as of July 24, 2023.
These recurring vulnerabilities highlight the importance of proactive security measures and timely patching in endpoint management solutions.
Conclusion
The discovery and active exploitation of CVE-2026-1281 and CVE-2026-1340 in Ivanti’s Endpoint Manager Mobile platform serve as a stark reminder of the critical importance of maintaining up-to-date security practices. Organizations utilizing EPMM must act swiftly to apply the necessary patches and consider additional remediation measures to protect their systems and data from potential compromise.
