Ivanti has disclosed and patched two critical security vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) that have been actively exploited in zero-day attacks. The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated remote code execution and carry CVSS scores of 9.8, placing them among the most severe vulnerability classes. One of the vulnerabilities has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, significantly increasing the urgency for remediation, particularly across U.S. federal environments. 

These vulnerabilities enable attackers to compromise exposed EPMM appliances without valid credentials, potentially granting full control over systems that manage and store sensitive mobile device and enterprise configuration data. 

Vulnerability overview 

CVE-2026-1281 and CVE-2026-1340 are code injection vulnerabilities within Ivanti EPMM that permit attackers to execute arbitrary commands remotely and without authentication. The issues stem from improper input handling in the In-House Application Distribution and Android File Transfer Configuration features of EPMM. Successful exploitation results in direct code execution on the appliance itself, creating a high-risk scenario given EPMM’s privileged role within enterprise environments. 

The vulnerabilities affect multiple supported versions of Ivanti EPMM, including versions 12.5.x, 12.6.x, and 12.7.x. Ivanti has released RPM-based interim patches for affected versions; however, these patches do not persist through version upgrades and must be reapplied if the appliance is updated. A permanent fix is expected with the release of EPMM version 12.8.0.0, scheduled for later in Q1 2026. 

Importantly, Ivanti has stated that no other Ivanti products are impacted by these vulnerabilities, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), and Ivanti Sentry. 

Exploitation and Post-Compromise Risk 

Ivanti has confirmed that a limited number of customers were actively exploited prior to public disclosure, although the company noted that it currently lacks sufficient visibility into threat actor tooling and infrastructure to publish reliable atomic indicators of compromise. Based on historical attacks against earlier EPMM vulnerabilities, Ivanti assesses that attackers commonly establish persistence through web shells or reverse shells deployed directly on the compromised appliance. 

Once an EPMM system is compromised, attackers gain the ability to execute arbitrary code, access sensitive data related to managed devices, and potentially pivot laterally into connected enterprise environments. Because EPMM appliances often sit at the intersection of identity, device management, and network access, a successful compromise can have cascading security implications well beyond the appliance itself. 

Detection guidance 

Given the lack of detailed indicators, detection currently relies on log analysis and configuration review. Ivanti advises customers to inspect Apache access logs located at /var/log/httpd/https-access_log for suspicious requests targeting vulnerable endpoints. Requests that return HTTP 404 responses, rather than the expected 200 responses associated with legitimate use, may indicate attempted or successful exploitation. Ivanti has provided a regular expression to assist with identifying such entries and recommends correlating findings with timestamps and source IP addresses. 

Beyond log analysis, organisations are encouraged to review EPMM administrative accounts for unauthorised changes, examine authentication configurations such as LDAP and SSO, and scrutinize newly created or modified device policies and pushed applications. Unexpected network or VPN configuration changes distributed through EPMM should also be treated as potential indicators of compromise. 

What you should do

Organisations running Ivanti EPMM should treat these vulnerabilities as an immediate and high-severity risk. The first priority should be applying the appropriate Ivanti-issued RPM patches to all affected EPMM instances, with the understanding that these patches must be reapplied after any version upgrade until EPMM 12.8.0.0 is deployed. Internet-facing EPMM appliances should be considered especially high risk and prioritized accordingly. 

In parallel with patching, teams should conduct a thorough review of Apache access logs and EPMM configuration settings to identify any signs of exploitation. Because Ivanti does not recommend attempting to manually clean a compromised appliance, any indication of successful exploitation should trigger a full recovery process. This involves restoring the appliance from a known-good backup taken prior to compromise or building a new EPMM instance and migrating clean data to it. 

After recovery, organizations should assume credential exposure and take corrective action by resetting all local EPMM account passwords, rotating LDAP and Kerberos service account credentials, and revoking and replacing any public certificates used by the EPMM appliance. Additional scrutiny should be applied to connected systems and services for signs of lateral movement, particularly in environments where EPMM integrates with identity or network access controls. 

Finally, security teams should update their vulnerability management and incident response playbooks to explicitly include EPMM and similar infrastructure appliances as high-value targets. Continuous monitoring for anomalous outbound activity from EPMM systems and proactive validation of backups will help reduce dwell time and limit impact if future exploitation attempts occur. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.