Ivanti has issued a critical security advisory for two zero-day remote code execution (RCE) vulnerabilities in Endpoint Manager Mobile (EPMM), actively exploited in the wild. CVE-2026-1281 joined CISA’s Known Exploited Vulnerabilities (KEV) catalog on January 29, 2026, with federal deadlines looming.
Vulnerability Breakdown
These flaws target EPMM’s In-House Application Distribution and Android File Transfer features, enabling unauthenticated attackers to inject code and seize appliance control.
- CVE-2026-1281: CVSS 9.8 code injection RCE, allowing arbitrary command execution.
- CVE-2026-1340: Companion CVSS 9.8 RCE, amplifying risks through chained exploitation.
Attackers can extract managed device data, deploy webshells, and pivot laterally in enterprise networks.
Scope and Impact
- Affects EPMM versions 12.5.0.x through 12.7.0.x (RPM packages); no issues in Neurons for MDM or other Ivanti products.
- Exploitation confirmed in limited environments, but EPMM’s MDM role heightens enterprise exposure.
- CISA mandates patches by February 2, 2026, under BOD 22-01.
Detection and IOCs
Scan Apache logs for suspicious 404s on valid endpoints (legit requests return 200).
Key signs of compromise:
- Unauthorized new admin accounts.
- Changes to SSO/LDAP, apps, policies, or VPN settings.
Remediation Roadmap
- Patch Immediately: Install Ivanti RPM updates after validation.
- Run Tools: Use official integrity checker and compromise scanners.
- Hunt & Isolate: Review logs, segment endpoints, and monitor anomalies.
Ivanti’s string of KEV entries underscores the need for rapid MDM patching—act now to safeguard mobile fleets.
