Ivanti has disclosed two critical vulnerabilities affecting Endpoint Manager Mobile (EPMM) that could allow attackers to achieve unauthenticated remote code execution.
The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, both stem from code injection issues and carry a maximum CVSS severity score of 9.8, indicating critical risk to affected deployments.
Vulnerability Overview
Both vulnerabilities enable attackers to execute arbitrary code without authentication on vulnerable EPMM instances.
The attack requires only network access, with no additional privileges or user interaction needed.
Ivanti confirmed that a limited number of customers have already experienced exploitation at the time of disclosure, underscoring the active threat posed by these flaws.
Notably, the vulnerabilities are isolated to EPMM and do not impact other Ivanti products, including cloud-based solutions like Ivanti Neurons for MDM or Ivanti Endpoint Manager (EPM).
| CVE ID | CVSS Score | Vector | CWE | Impact |
|---|---|---|---|---|
| CVE-2026-1281 | 9.8 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-94 | Unauthenticated RCE |
| CVE-2026-1340 | 9.8 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-94 | Unauthenticated RCE |
Customers utilizing Ivanti cloud products with Sentry integration remain unaffected by these particular vulnerabilities.
Multiple EPMM versions are vulnerable, including versions 12.5.0.0, 12.6.0.0, 12.7.0.0, 12.5.1.0, and 12.6.1.0.
Ivanti has released RPM patch files specific to each version track. Organizations running versions 12.5.0.x, 12.6.0.x, or 12.7.0.x should apply RPM 12.x.0.x, while those on 12.5.1.0 or 12.6.1.0 require RPM 12.x.1.x. The patches can be installed without downtime and do not impact system functionality.
The permanent fix will be included in EPMM version 12.8.0.0, expected in Q1 2026.
Importantly, the RPM patch does not persist through version upgrades; organisations upgrading after applying the RPM will need to reinstall the patch.
Installation requires prefixing credentials directly in the RPM URL during deployment.
For environments requiring maximum security posture, Ivanti recommends rebuilding the entire EPMM appliance and migrating data, eliminating the need for device re-enrollment.
Organizations managing EPMM infrastructure should prioritize patching immediately. The combination of unauthenticated access requirements, zero user interaction, and confirmed active exploitation makes these vulnerabilities exceptionally critical.
Early adoption of version 12.8.0.0 upon release is strongly encouraged to eliminate the need for recurring RPM reapplication.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.