Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two critical, actively exploited Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—CVE-2026-1281 and CVE-2026-1340—described as unauthenticated code-injection issues enabling remote code execution (RCE) with a CVSS 9.8 rating. Ivanti reported exploitation affecting a very limited number of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings.
Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM 12.5.x, 12.6.x, and 12.7.x (including 12.5.1.0 and 12.6.1.0 and earlier as specified), while Ivanti’s cloud offerings (e.g., Ivanti Neurons for MDM) and Ivanti Endpoint Manager (EPM) are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in EPMM 12.8.0.0; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
Timeline
Apr 8, 2026
CISA adds CVE-2026-1340 to KEV and orders federal remediation
By April 8, 2026, CISA had added Ivanti EPMM flaw CVE-2026-1340 to its Known Exploited Vulnerabilities catalog, citing exploitation since January. Federal Civilian Executive Branch agencies were ordered under BOD 22-01 to remediate affected systems by April 11, 2026.
Feb 13, 2026
BSI says Ivanti EPMM exploitation dates back to summer 2025
In a February 13, 2026 update cited by Finland's Traficom, Germany's BSI reported that exploitation of the Ivanti EPMM flaws had already occurred as early as summer 2025. The update advised organizations to review historical indicators of compromise, extending the suspected intrusion window well before the January 2026 public disclosure.
Feb 5, 2026
watchTowr says multiple threat actors are exploiting the EPMM flaws globally
By February 5, 2026, watchTowr Labs reported seeing multiple threat actors exploiting CVE-2026-1281 and CVE-2026-1340 in global attacks, even as Ivanti disputed a combined exploit chain. Researchers urged organizations with internet-exposed vulnerable EPMM instances to assume compromise, rebuild affected systems, and begin incident response.
Feb 3, 2026
Researchers observe broader post-disclosure exploitation surge
In the days after disclosure, researchers and telemetry providers reported exploitation attempts increasing from multiple source IPs against internet-exposed EPMM systems. CyberScoop and later SC Media cited evidence that activity escalated beyond the initially limited victim set.
Jan 31, 2026
Shadowserver reports spike in exploitation attempts against CVE-2026-1281
On Saturday, January 31, 2026, the Shadowserver Foundation observed a surge in attempted exploitation of CVE-2026-1281. Reporting published afterward also noted that more than 1,400 Ivanti EPMM instances remained exposed to the internet.
Jan 30, 2026
Rapid7 reports heavy exploitation activity in honeypot telemetry
By January 30, 2026, Rapid7 said it had observed substantial exploitation activity targeting the EPMM flaws, including reverse shells over port 443, web shell attempts, and automated droppers. The company also highlighted the risk of PII exposure and lateral movement from a compromised EPMM server.
Jan 30, 2026
watchTowr reverse-engineers the patches and releases exploit details
On January 30, 2026, watchTowr Labs analyzed Ivanti's interim patches, traced the flaws to Bash-based URL-mapping scripts, and published proof-of-concept exploitation details for pre-auth remote command execution. The research showed how crafted HTTP requests could trigger command execution through subtle Bash arithmetic-expansion behavior.
Jan 29, 2026
Ivanti publishes compromise-hunting and recovery guidance
At disclosure, Ivanti advised defenders to review Apache access logs and look for suspicious requests, web shells, reverse shells, and unexpected WAR or JAR files, while warning that reliable IOCs were limited and logs may be tampered with. For suspected compromise, the company recommended restoring from known-good backups or rebuilding appliances, plus resetting credentials and certificates.
Jan 29, 2026
CISA adds CVE-2026-1281 to the KEV catalog
On January 29, 2026, CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog because of active exploitation. U.S. federal civilian agencies were ordered to mitigate or discontinue use of affected systems by early February under BOD 22-01.
Jan 29, 2026
Ivanti discloses two exploited EPMM zero-days and issues interim patches
On January 29, 2026, Ivanti disclosed CVE-2026-1281 and CVE-2026-1340, two critical unauthenticated code-injection flaws in Endpoint Manager Mobile (EPMM) that were already exploited against a limited number of customers. The company released version-specific RPM hotfixes, said cloud products and EPM were not affected, and said a permanent fix would come in EPMM 12.8.0.0 later in Q1 2026.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
5 more from sources like cyberscoop, rescana blog, blueteamsec, cyberthrone and register security
Related Stories
Ivanti Endpoint Manager Mobile Pre-Auth RCE Zero-Days (CVE-2026-1281, CVE-2026-1340)
Ivanti issued emergency patches for two **critical zero-day** vulnerabilities in *Endpoint Manager Mobile (EPMM)*—**CVE-2026-1281** and **CVE-2026-1340**—described as code-injection flaws that can enable **pre-auth remote code execution**. Reporting indicates successful exploitation could allow attackers to run arbitrary code and potentially access sensitive device and user data managed by EPMM, elevating risk for organizations using the product for mobile device management. Technical discussion and community commentary amplified the disclosure, pointing to detailed research write-ups (including analysis focused on exploitation mechanics) and reinforcing the urgency of patching internet-exposed EPMM instances. Separate industry coverage during the same period also emphasized broader 2026 security priorities (AI-enabled social engineering, quantum-readiness, and general vulnerability management), but did not add incident-specific details about the Ivanti EPMM zero-days beyond the general call to improve patching discipline.
1 months ago
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
1 months ago
Critical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation. The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
1 months ago