IVANTI Endpoint Manager Mobile (EPMM) has two zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, described as critical code injection flaws that allow unauthenticated remote code execution with a CVSS of 9.8.
Exploitation does not require credentials and can be carried out over the network, affecting only EPMM appliances, with versions 12.5.0[.]0, 12.6.0[.]0, 12.7.0[.]0 and earlier and 12.5.1[.]0, 12.6.1[.]0 and earlier listed as affected; interim RPM patches have been issued but are not preserved across upgrades, with a permanent fix slated for EPMM version 12.8.0[.]0 in Q1 2026.
Ivanti has confirmed a limited number of real-world exploitation cases, while notes on detailed threat actor indicators remain scarce and exploitation typically results in web shell or reverse shell deployment for persistence. Organizations are advised to patch first and then assess for compromise, with suggested recovery options including restoring from a known-good backup or building a new EPMM appliance, and steps such as rotating credentials and replacing certificates.
According to Ivanti’s official advisory, CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies by 1 February 2026.