Ivanti Endpoint Manager Mobile Pre-Auth RCE Zero-Days (CVE-2026-1281, CVE-2026-1340)
Ivanti issued emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile (EPMM)—CVE-2026-1281 and CVE-2026-1340—described as code-injection flaws that can enable pre-auth remote code execution. Reporting indicates successful exploitation could allow attackers to run arbitrary code and potentially access sensitive device and user data managed by EPMM, elevating risk for organizations using the product for mobile device management.
Technical discussion and community commentary amplified the disclosure, pointing to detailed research write-ups (including analysis focused on exploitation mechanics) and reinforcing the urgency of patching internet-exposed EPMM instances. Separate industry coverage during the same period also emphasized broader 2026 security priorities (AI-enabled social engineering, quantum-readiness, and general vulnerability management), but did not add incident-specific details about the Ivanti EPMM zero-days beyond the general call to improve patching discipline.
Timeline
Jan 30, 2026
EU reports sharp rise in breach notifications and sustained GDPR enforcement
Late-January reporting said EU data breach notifications had risen 22%, averaging more than 400 per day, while GDPR fines in 2025 totaled about €1.2 billion. The increase came amid policy reform discussions tied to Digital Omnibus, NIS2, and DORA.
Jan 30, 2026
ShinyHunters-linked phishing and vishing hit multiple U.S. companies
Employees at several U.S. companies were targeted in phishing and vishing attacks, with ShinyHunters claiming responsibility and issuing extortion demands. The activity highlighted continued reliance on social engineering for initial access and pressure tactics.
Jan 30, 2026
Cyble discloses ShadowHS Linux post-exploitation framework
Cyble reported on ShadowHS, a stealthy fileless in-memory Linux post-exploitation framework that uses AES-encrypted payloads and memory execution to evade detection. The tooling was described as supporting credential theft, lateral movement, privilege escalation, cryptomining, and data exfiltration.
Jan 30, 2026
Cyberattack disrupts Delta alarm and vehicle security services
Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack that disrupted services for tens of thousands of customers. The company said there was no confirmed customer data breach, though an unverified leaked dataset was reportedly circulating online.
Jan 30, 2026
CISA adds CVE-2026-1281 to KEV and orders rapid federal remediation
CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog and gave U.S. federal civilian agencies a two-day deadline to remediate. This indicated active exploitation serious enough to trigger urgent government action.
Jan 30, 2026
Ivanti releases emergency patches for two EPMM zero-days
Ivanti issued emergency fixes for two critical pre-authentication code injection vulnerabilities in Endpoint Manager Mobile, tracked as CVE-2026-1281 and CVE-2026-1340. The flaws were described as zero-days affecting EPMM deployments.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Sources
Related Stories
Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two **critical, actively exploited** Ivanti Endpoint Manager Mobile (*EPMM*) vulnerabilities—**CVE-2026-1281** and **CVE-2026-1340**—described as unauthenticated code-injection issues enabling **remote code execution (RCE)** with a **CVSS 9.8** rating. Ivanti reported exploitation affecting a *very limited number* of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings. Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM **12.5.x, 12.6.x, and 12.7.x** (including **12.5.1.0** and **12.6.1.0** and earlier as specified), while Ivanti’s cloud offerings (e.g., *Ivanti Neurons for MDM*) and *Ivanti Endpoint Manager (EPM)* are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in **EPMM 12.8.0.0**; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
1 weeks ago
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
1 months ago
Multiple Remote Code Execution Vulnerabilities in Ivanti Endpoint Manager
Ivanti Endpoint Manager has been found to contain several critical vulnerabilities that could allow remote code execution (RCE) by attackers. The Zero Day Initiative (ZDI) disclosed thirteen vulnerabilities affecting undisclosed versions of Ivanti Endpoint Manager, with several remaining unpatched at the time of disclosure. Among these, ZDI-25-935 is particularly severe, enabling a remote, unauthenticated attacker to achieve RCE if they can trick a user into visiting a malicious webpage or opening a malicious file. Alternatively, attackers with administrative credentials can exploit this vulnerability without user interaction. This flaw arises from improper validation of user-supplied paths in the OnSaveToDB method, resulting in a path traversal vulnerability. Another significant vulnerability, ZDI-25-952 (CVE-2025-9872), involves the UniqueFilename attribute, where insufficient validation allows unrestricted file uploads. Exploitation of this flaw enables attackers to execute arbitrary code in the context of the NETWORK SERVICE account, again requiring either user interaction or administrative credentials. The CVSS score for these vulnerabilities is high, with ZDI-25-935 and ZDI-25-952 both rated at 8.8, indicating a critical risk to organizations using affected versions of Ivanti Endpoint Manager. Additional vulnerabilities, such as ZDI-25-936 and ZDI-25-947, involve SQL injection and privilege escalation, further increasing the attack surface. The SQL injection vulnerabilities stem from improper validation of user-supplied strings in the Report_Run and Report_Run2 classes, allowing attackers to execute code as the service account. Ivanti has responded by issuing updates to address at least some of these vulnerabilities, specifically releasing a patch for CVE-2025-9872. The vulnerabilities were reported to Ivanti in June 2025, with coordinated public disclosure occurring in October 2025. Attackers exploiting these flaws could gain significant control over affected systems, potentially leading to data theft, lateral movement, or disruption of endpoint management operations. Organizations are strongly advised to identify Ivanti Endpoint Manager installations within their networks and apply the latest security updates as soon as possible. The vulnerabilities highlight the importance of robust input validation and secure file handling in enterprise software. Security teams should also review user privileges and monitor for suspicious activity related to file uploads or unusual database queries. Given the critical nature of these vulnerabilities and the potential for exploitation, prompt remediation and heightened vigilance are essential for organizations relying on Ivanti Endpoint Manager.
1 months ago