Active Exploitation of Zero-Day Vulnerabilities in Ivanti Endpoint Manager Mobile
Ivanti has addressed two exploited vulnerabilities that could lead to unauthenticated remote code execution
Summary
Ivanti has addressed two exploited vulnerabilities that could lead to unauthenticated remote code execution
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2026-1281 and CVE-2026-1340
Ivanti has observed exploitation of CVE-2026-1281 and CVE-2026-1340 in the wild and the US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to it's Known Exploited Vulnerabilities (KEV) Catalog.
Edge devices like EPMM are internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers. The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in edge devices will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure.
Organisations are strongly encouraged to follow NCSC's vulnerability management guidance, including implementing a "patch by default" policy and patching edge devices as soon as possible if a critical vulnerability is identified.
Introduction
Ivanti has released a security advisory addressing two vulnerabilities affecting Endpoint Manager Mobile (EPMM). Ivanti EPMM provides an all-in-one solution for managing mobile, macOS and Windows devices within a network.
Ivanti has observed exploitation of the two vulnerabilities in the wild.
Vulnerability Details
- CVE-2026-1281 is a 'code injection' vulnerability with a CVSSv3 score of 9.8. If exploited, an unauthenticated, remote attacker could execute arbitrary code.
- CVE-2026-1340 is a 'code injection' vulnerability with a CVSSv3 score of 9.8. If exploited, an unauthenticated, remote attacker could execute arbitrary code.
Remediation advice
Affected organisations must review the Ivanti Security Advisory and complete all remediation steps detailed below.
If you suspect your organisation may have been compromised, you must immediately contact the NHS England National CSOC by calling 0300 303 5222 or email [email protected].
Important: The RPM script does not survive a version upgrade. If after applying the RPM script to your appliance you upgrade to a new version, you must reinstall the RPM. The permanent fix for this vulnerability will be included in version 12.8.0.0.
Note: Organisations must complete all remediation steps before marking this high severity Cyber Alert as complete.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Version 12.5.0.0 Affected organisations must apply RPM_12.x.0.x Important: The RPM script does not survive a version upgrade. If after applying the RPM script to your appliance you upgrade to a new version, you must reinstall the RPM. The permanent fix for this vulnerability will be included in version 12.8.0.0. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US |
| Patch |
Version 12.5.1.0 Affected organisations must apply RPM_12.x.1.x Important: The RPM script does not survive a version upgrade. If after applying the RPM script to your appliance you upgrade to a new version, you must reinstall the RPM. The permanent fix for this vulnerability will be included in version 12.8.0.0. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US |
| Patch |
Version 12.6.0.0 Affected organisations must apply RPM_12.x.0.x Important: The RPM script does not survive a version upgrade. If after applying the RPM script to your appliance you upgrade to a new version, you must reinstall the RPM. The permanent fix for this vulnerability will be included in version 12.8.0.0. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US |
| Patch |
Version 12.6.1.0 Affected organisations must apply RPM_12.x.1.x Important: The RPM script does not survive a version upgrade. If after applying the RPM script to your appliance you upgrade to a new version, you must reinstall the RPM. The permanent fix for this vulnerability will be included in version 12.8.0.0. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US |
| Patch |
Version 12.7.0.0 Affected organisations must apply RPM_12.x.0.x Important: The RPM script does not survive a version upgrade. If after applying the RPM script to your appliance you upgrade to a new version, you must reinstall the RPM. The permanent fix for this vulnerability will be included in version 12.8.0.0. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US |
| Action |
Compromise Assessment Affected organisations must complete a compromise assessment by analysing the Apache Access Log.
The Apache Access Log (/var/log/httpd/https-access_log) will record attempted and successful exploitation of both vulnerabilities. If you use these features, you may see legitimate traffic to these endpoints. Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes. The following regular expression can be used to quickly triage httpd log files. Deployments that have been patched will generate legitimate heartbeat requests to the service. ^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404 The above regular expression is written to exclude legitimate requests. Note: The on-box logging can be manipulated by a threat actor who has successfully exploited the system. Ivanti and the NHS England National CSOC strongly recommend reviewing your SIEM or other log aggregator/collector rather than the logs from the system itself. https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US |
| Guidance |
If you suspect your organisation may have been compromised, you must immediately contact the NHS England National CSOC by calling 0300 303 5222 or email [email protected]. Additionally, please reach out to Ivanti's Support Team for further guidance. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 30 January 2026 10:42 am