Bright Nexus

Published on January 30, 2026

Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released

Severity

Critical

Detail

Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses two critical severity vulnerabilities. Successful exploitation could lead to unauthenticated remote code execution.

CVE Number Description CVSS Score (Severity)
CVE-2026-1281A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.9.8 (Critical)
CVE-2026-1340A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.9.8 (Critical)

Ivanti stated in its advisory that it is aware of only a small number of customers whose systems were compromised around the time the issue was disclosed, noting that there is currently insufficient insight into the threat actors’ methods to share reliable atomic indicators.

The company also explained that CVE-2026-1281 and CVE-2026-1340 impact only the In-House Application Distribution and Android File Transfer Configuration features, and do not affect other Ivanti products such as Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry.

Affected Version

Product Name Affected Version(s) Resolved Version(s) Patch Availability 
Ivanti Endpoint Manager Mobile 12.5.0.0 and prior  12.6.0.0 and prior  12.7.0.0 and prior RPM 12.x.0.x   https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm   
Ivanti Endpoint Manager Mobile 12.5.1.0 and prior  12.6.1.0 and prior  RPM 12.x.1.x  https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm   

Recommendation

  • Detection currently relies on behavioral and log-based analysis rather than precise indicators of compromise. Ivanti recommends reviewing Apache access logs located at:

/var/log/httpd/https-access_log

  • Requests targeting vulnerable endpoints that return 404 HTTP status codes may indicate attempted or successful exploitation. Ivanti has provided the following regex to help identify suspicious entries:

^(?!127.0.0.1:d+.*$).*?/mifs/c/(aft|app)store/fob/.*?404

In addition to log review, organizations should examine:

  • Newly created or modified EPMM administrator accounts
  • Changes to SSO, LDAP, or authentication settings
  • Unexpected pushed applications or policy updates
  • Network or VPN configuration changes

Source

https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US