Ivanti on Thursday announced emergency patches for two critical-severity vulnerabilities in Endpoint Manager Mobile (EPMM) that have been exploited in the wild as zero-days.
Tracked as CVE-2026-1281 and CVE-2026-1340 (CVSS score of 9.8), the bugs are described as code injection issues that could be exploited by unauthenticated attackers to achieve remote code execution (RCE).
The flaws impact the in-house application distribution and the Android file transfer configuration features of EPMM.
Successful exploitation of the zero-days could allow attackers to execute arbitrary code, move laterally to the connected environment, and access sensitive information stored in the EPMM.
Such information may include administrator information (name, email, and username), user information (name, email, and username, user principal name for AD), and mobile device details (phone number, location, identifier, IMEI, IP address, UUID, application details, and other identification data).
“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti notes in its advisory.
According to the company, all EPMM versions up to 12.5.0.0, 12.6.0.0, 12.7.0.0, 12.5.1.0, and 12.6.1.0 are affected.
Ivanti released RPM patches 12.x.0.x and 12.x.1.x that address the security defects. The fixes are version-specific, and customers need to apply only the RPM applicable to their EPMM iteration.
The company notes that the RPM scripts need to be reapplied in the event EPMM is updated to a newer version.
“We strongly encourage all EPMM customers to adopt version 12.8.0.0 once it has been released later in Q1 2026. Once you have upgraded to 12.8.0.0, you will not need to reapply the RPM script,” Ivanti notes.
Scarce information on exploitation
No other Ivanti products are affected by the exploited zero-day vulnerabilities, and the company has published generic information on detecting exploitation attempts.
“Due to the small number of known-impacted customers, Ivanti does not have enough information about the threat actor tactics to provide proven, reliable atomic indicators,” the company notes.
Based on the exploitation of previous EPMM bugs, Ivanti says, two common methods of persistence have surfaced: the deployment of web shell capabilities targeting HTTP error pages, and the deployment of reverse shells.
Exploitation attempts using these techniques can be identified either through unexpected WAR or JAR files on the system, or through firewall log entries for outbound network connections initiated by the appliance.
“Based on Ivanti’s analysis of threat actor toolkits targeting older vulnerabilities on the Ivanti appliance, analysts should assume that the threat actor techniques will likely include the clearing of logs or removal of specific log entries,” the company notes.
Ivanti warns that, in addition to compromising the environment and accessing the sensitive information available on EPMM’s MIFS portal, attackers could make changes to the EPMM configuration to add new admin accounts, modify authentication policies, push new apps to devices, and modify network configurations.
“Please note that this is general guidance and Ivanti has not observed or received any indication that such changes have been made to a customer’s EPMM appliance maliciously,” Ivanti notes.
In the event organizations identify successful compromise of EPMM instances, Ivanti recommends either restoring the appliance from a known good backup or building a fresh iteration and migrating all data.
“Ivanti does NOT recommend attempting to clean the system after it has been compromised,” the company notes.
Ivanti also notes that organizations should restore their systems while keeping them disconnected from the internet, and that mitigations and patches should be applied before returning the system to service.
The remediation and recovery actions should also include resetting the passwords for local EPMM accounts, for LDAP and/or KDC service accounts, and for any other internal or external service accounts, and revoking and replacing the public certificate EPMM uses.
CISA KEV
On Thursday, the US cybersecurity agency CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by February 1.
As mandated by Binding Operational Directive (BOD) 22-01, federal agencies typically have three weeks to apply fixes and mitigations for vulnerabilities newly added to the KEV list.
The short timeframe provided for CVE-2026-1281 indicates the severity of the flaw. Should a federal agency be unable to meet the deadline, it is required to take the necessary steps to comply with the directive as soon as possible.
“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” CISA notes.
Related: Ivanti EPM Update Patches Critical Remote Code Execution Flaw
Related: APTs, Cybercriminals Widely Exploiting WinRAR Vulnerability
Related: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
Related: 2024 VMware Flaw Now in Attackers’ Crosshairs
