Ivanti has issued an urgent security advisory for two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution that attackers are actively exploiting in the wild. The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, both carry the maximum CVSS score of 9.8.
The Threat
Both vulnerabilities are code-injection flaws that allow remote attackers to execute arbitrary code on vulnerable EPMM appliances without any authentication. This is particularly concerning given that EPMM manages mobile devices across enterprise environments, potentially giving attackers access to:
- Administrator and user credentials
- Email addresses and phone numbers
- Device identifiers (IMEI, MAC addresses)
- Installed applications on managed devices
- GPS coordinates and location data (if tracking is enabled)
Ivanti confirmed that attackers have already compromised a “very limited number” of customers, though the company notes reliable indicators of compromise (IOCs) are scarce due to the small sample size.
Why This Matters
Mobile Device Management platforms are high-value targets for threat actors. A compromised MDM solution provides a force multiplier effect—attackers gain potential access to every device under management. The ability to execute code without authentication makes these vulnerabilities trivial to exploit at scale.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog. Federal civilian agencies must apply mitigations or discontinue vulnerable systems by February 1, 2026—a mere days away.
Mitigation
Ivanti has released RPM hotfix scripts that can be applied without downtime:
- RPM 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x
- RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0
Important: These hotfixes do not survive version upgrades and must be reapplied. A permanent fix is expected in EPMM version 12.8.0.0, scheduled for later in Q1 2026.
Organizations that suspect compromise should not attempt to clean systems. Instead, Ivanti recommends restoring from a known-good backup taken before exploitation, or rebuilding the appliance entirely.
Detection
Exploitation attempts can be identified in Apache access logs at /var/log/httpd/https-access_log. Ivanti has provided a regex pattern to detect suspicious activity targeting the vulnerable In-House Application Distribution and Android File Transfer Configuration features. Legitimate requests return HTTP 200; exploitation attempts return HTTP 404.
Source: BleepingComputer
