TWO critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, with unauthenticated attackers able to remotely execute arbitrary code on target servers and gain full control over the MDM infrastructure.
Unit 42 has observed widespread exploitation, including reverse shells, web shells, reconnaissance, and malware downloads that target enterprise mobile fleets and corporate networks across sectors such as state and local government, healthcare, manufacturing, professional and legal services, and high technology. The United States Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) Catalog.
Palo Alto Networks’ Cortex Xpanse telemetry identifies over 4,400 Ivanti EPMM instances exposed on the public internet. According to Unit 42, attackers are accelerating operations and deploying dormant backdoors to maintain access after patched. Ivanti’s security advisory, released in January 2026, recommends applying RPM 12.x.0.x or RPM 12.x.1.x, which is version-specific, with no downtime required to patch; the article also notes guidance and indicators of compromise to help responders.