February 12th, 2026

Active Exploitation of Critical Ivanti EPMM Zero-Day Vulnerabilities (CVE-2026-1281, CVE-2026-1340)

Critical

Our Cyber Threat Intelligence Unit is monitoring two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-1281 and CVE-2026-1340. Ivanti has confirmed active exploitation of these vulnerabilities in select customer environments prior to public disclosure, prompting emergency security updates. These code-injection vulnerabilities allow unauthenticated remote code execution (RCE) on vulnerable EPMM appliances. CVE-2026-1281 is now listed in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgent risk to unpatched systems. Since EPMM serves as a centralized mobile device management platform, successful exploitation could allow attackers to compromise managed devices, manipulate configurations, and establish persistent access within enterprise networks. Due to ongoing exploitation and the absence of permanent fixes in interim patches, organizations should prioritize remediation and assess their exposure.

Technical Details

CVE IDs:
- CVE-2026-1281
- CVE-2026-1340
Severity: Critical (CVSS v3.1 9.8)
Vulnerability Type: Code Injection
Impact: Unauthenticated Remote Code Execution
Affected Product: Ivanti Endpoint Manager Mobile (EPMM)
Affected Components / Features:
- In-House Application Distribution
- Android File Transfer Configuration
Affected Versions:
- EPMM 12.5.0.0 and earlier
- EPMM 12.6.0.0 and earlier
- EPMM 12.7.0.0 and earlier
- EPMM 12.5.1.0 and earlier
- EPMM 12.6.1.0 and earlier
Attack Characteristics:
- Exploitation does not require authentication
- Exploitation occurs remotely via vulnerable request handling logic
- Successful exploitation results in arbitrary code execution on the appliance
Patch / Remediation Status:
- Ivanti released interim RPM-based hotfixes to mitigate the risk of exploitation.
- These mitigations are non-persistent and must be reapplied following upgrades or system changes.
- Ivanti has indicated that a permanent fix is planned for EPMM version 12.8.0.0.

Impact

Successful exploitation of these vulnerabilities may allow threat actors to:

Execute arbitrary commands on vulnerable EPMM appliances
Compromise mobile device management infrastructure
Access or manipulate managed device configurations
Deploy web shells, reverse shells, or persistence mechanisms
Exfiltrate sensitive device or organizational data
Conduct lateral movement into enterprise environments
Disrupt mobile management and operational workflows

Detection Method

Defenders should evaluate Ivanti EPMM systems for anomalous behavior consistent with exploitation or post-compromise activity:

Unusual or unexpected HTTP/HTTPS requests targeting EPMM services
Irregular access patterns involving application distribution features
Suspicious process execution or command activity on appliances
Newly created or modified administrative accounts
Unauthorized configuration or policy changes
Unexpected application push events
Indicators of persistence mechanisms or unknown binaries

Indicators of Compromise

There are no Indicators of Compromise Observed.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Organizations operating Ivanti EPMM appliances should take the following actions:

Apply Ivanti’s latest interim RPM hotfixes immediately
Reapply mitigations after upgrades or appliance changes
Prioritize upgrade planning for EPMM 12.8.0.0 once available
Restrict management interface exposure to trusted networks
Eliminate unnecessary internet-facing access where possible
Review logs and appliance behavior for signs of compromise
If compromise is suspected, treat the appliance as fully compromised
Rotate credentials associated with the platform and connected services
Revoke and replace certificates if credential or key exposure is possible
Initiate incident response procedures where warranted

Conclusion

The exploitation of CVE-2026-1281 and CVE-2026-1340 demonstrates a continued focus by threat actors on edge systems and enterprise management infrastructure. The combination of unauthenticated remote code execution, confirmed zero-day abuse, and temporary mitigations significantly increases organizational risk. Timely patching, reducing exposure, and proactive compromise assessments are essential to prevent downstream impacts on managed devices and enterprise environments.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-1281

https://nvd.nist.gov/vuln/detail/CVE-2026-1340

https://cybersecuritynews.com/ivanti-endpoint-manager-vulnerability/

https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/

https://securityboulevard.com/2026/01/cve-2026-1281-cve-2026-1340-ivanti-endpoint-manager-mobile-epmm-zero-day-vulnerabilities-exploited

https://www.cisa.gov/news-events/alerts/2026/01/29/cisa-adds-one-known-exploited-vulnerability-catalog