Research from watchTowr reveals these zero-day vulnerabilities are being actively exploited. Apply the emergency RPM patch now.
Cybersecurity researchers are warning of a major security crisis involving a tool used by large companies to manage employee mobile phones. The software, known as Ivanti Endpoint Manager Mobile (EPMM), is a central hub for businesses to control corporate emails and apps on iPhones and Android devices.
This isn’t the first time this specific software has been targeted by hackers. In May 2025, Hackread.com reported about two other flaws (CVE-2025-4427 and CVE-2025-4428) that were also being used by attackers to seize control of systems. Now, in January 2026, a new set of even more dangerous vulnerabilities has emerged.
Breaking down the 2026 vulnerabilities
On 29 January 2026, Ivanti released an emergency advisory for two critical code injection flaws tracked as CVE-2026-1281 and CVE-2026-1340. These bugs are particularly dangerous because they allow remote code execution, which means a hacker can take full control of the system from anywhere in the world without needing a password.
Both flaws are classified as CWE-94, which refers to “code injection” issues, and the vulnerabilities have received a nearly perfect severity score of 9.8 out of 10, making their patching an immediate priority for IT teams.
How the flaws work
The problem was found in how the software handles “In-House Application Distribution” and “Android File Transfer” tasks. Security testing firm watchTowr conducted its independent research and shared its findings with Hackread.com, revealing a surprising root cause.
According to the watchTowr’s blog post, the system relied on simple “Bash” scripts (basic lists of commands) to process web requests. As per watchTowr investigation, an attacker could send a specifically crafted request that “tricks” these scripts into running malicious code.
Benjamin Harris, the CEO of watchTowr, told Hackread.com that these flaws represent “the worst of the worst.” He noted that hackers have already been using these gaps as zero-days to break into systems and set up digital backdoors
A temporary fix with a catch
While Ivanti has provided a fix, it is not a permanent solution because the current fix is a temporary script called an RPM patch. The issue is that if an administrator updates the software to a newer version later, this security fix will vanish and must be reinstalled. watchTowr team suggests that simply patching might not be enough for everyone.
“Organisations that are as of disclosure exposing vulnerable instances to the Internet must consider them compromised,” Harris warned.
According to Ivanti’s security advisory, a permanent update, version 12.8.0.0, is expected later in the first quarter of 2026. Until then, any company using versions 12.7.0.0 or earlier is urged to apply the temporary patch immediately.
“Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses two critical severity vulnerabilities. Successful exploitation could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti’s advisory confirmed.
What should users do?
It must be noted that these vulnerabilities only affect the “on-premise” version of the software, which is the version installed on a company’s own servers, and not Ivanti’s cloud services. watchTowr researchers suspect that hackers may have already cleared logs to hide their tracks. Because of this, it is recommended that affected businesses consider rebuilding their systems from scratch to ensure no hidden access remains for intruders.
“We knew January seemed too calm – Ivanti’s EPMM solution, the centre point of previous zero-day sagas, is once again receiving in-the-wild exploitation by seemingly capable and well-resourced threat actors, said Benjamin.”
“While patches are available from Ivanti, applying patches will not be enough – threat actors have been exploiting these vulnerabilities as zero-days, and organizations that are as of disclosure exposing vulnerable instances to the Internet must consider them compromised, tear down infrastructure, and instigate incident response processes.”
“Across the watchTowr client base, we are seeing impact across a wide range of high-value industries and targets – this is not a drill, and is unfortunately the January drama we all entirely expected,” he added.