CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8): Critical vulnerabilities in Ivanti EPMM

Estimated reading time: 7 minutes

Key Takeaways:

  • Two critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) with a CVSS score of 9.8 allow for unauthenticated remote code execution.
  • Affected versions include Ivanti EPMM 12.7.0.0 and prior; a permanent fix is expected in version 12.8.0.0.
  • At least one vulnerability has been confirmed as exploited in the wild in targeted attacks.
  • Immediate remediation involves applying specific RPM hotfixes provided by the vendor.

On January 29, 2026, Ivanti published a security advisory regarding critical vulnerabilities in Ivanti EPMM (Endpoint Manager Mobile), formerly known as MobileIron Core. These flaws, identified as CVE-2026-1281 and CVE-2026-1340, both carry a CVSS base score of 9.8, indicating a critical severity level. The presence of critical vulnerabilities in Ivanti EPMM presents a significant risk to enterprise mobile infrastructure, as these flaws allow for unauthenticated remote code execution (RCE) via code injection.

CERT-EU has confirmed that at least one of these vulnerabilities has been exploited in a limited number of targeted attacks. For organizations utilizing EPMM to manage mobile device fleets, the potential impact includes full system compromise, unauthorized access to sensitive mobile data, and the ability for attackers to pivot into the internal network.

Technical Analysis of Critical vulnerabilities in Ivanti EPMM

The vulnerabilities identified as CVE-2026-1281 and CVE-2026-1340 are categorized as code injection flaws. In the context of Ivanti EPMM, this means that the application fails to properly neutralize or validate input before it is processed by the underlying system or interpreter. An unauthenticated attacker can exploit this by sending specially crafted requests to the EPMM appliance, leading to the execution of arbitrary commands.

CVE-2026-1281: Unauthenticated Code Injection

CVE-2026-1281 focuses on a lack of input validation within specific web-facing components of the EPMM server. Because the vulnerability is unauthenticated, the attacker does not require valid credentials or an active session to trigger the exploit. In many enterprise environments, the EPMM interface is accessible from the internet to facilitate communication with remote mobile devices. This exposure increases the attack surface, making the appliance a primary target for initial access brokers and ransomware operators.

CVE-2026-1340: Critical RCE via API or Web Interface

Similar to CVE-2026-1281, CVE-2026-1340 enables remote code execution. The technical root cause involves the improper handling of data structures that are passed to the server’s execution environment. Successful exploitation grants the attacker system-level privileges on the Linux-based appliance. Once an attacker achieves RCE, they can deploy persistent backdoors, exfiltrate the database containing device enrollment data, or intercept communications between the MDM (Mobile Device Management) server and managed endpoints.

Ivanti EPMM serves as a centralized management hub for corporate mobile devices. It handles device enrollment, security policy enforcement, and application distribution. By compromising this central node, an attacker gains a vantage point over the entire mobile fleet. This makes the exploitation of EPMM an effective method for supply-chain risk monitoring failures, where the security of the management software itself becomes the weakest link in the corporate defense architecture.

Affected Products and Versions

The scope of these vulnerabilities includes several versions of the Ivanti Endpoint Manager Mobile (EPMM) platform. Organizations should verify their current version against the following list of affected software:

  • Ivanti EPMM 12.5.1.0 and prior
  • Ivanti EPMM 12.6.1.0 and prior
  • Ivanti EPMM 12.7.0.0 and prior

Ivanti has stated that a permanent fix will be integrated into version 12.8.0.0, which is scheduled for release in the first quarter of 2026. Until that version is deployed, temporary hotfixes are required to mitigate the risk of exploitation.

The exploitation of Ivanti products has been a recurring trend in the cybersecurity space. Attackers often target edge devices and management consoles because they frequently lack the same level of endpoint detection and response (EDR) coverage as standard workstations.

Data gathered through underground forum intelligence suggests that exploit developers frequently trade PoC (Proof of Concept) code for MDM vulnerabilities. Furthermore, telegram threat monitoring has shown an increase in discussions regarding Ivanti EPMM among threat actors who specialize in corporate network infiltration. These actors look for unpatched appliances to use as entry points for broader campaigns.

The capability for unauthenticated RCE is a primary driver for ransomware groups. real-time ransomware intelligence indicates that groups often automate the scanning of IP ranges to find vulnerable Ivanti instances. Once a vulnerable server is identified, the exploitation process is often followed by the deployment of web shells or cobalt strike beacons. Organizations can monitor these threats using a live ransomware API to stay updated on the specific file hashes and IP addresses associated with active EPMM exploitation campaigns.

Practical Takeaways for Technical and Non-Technical Stakeholders

To mitigate the risks associated with CVE-2026-1281 and CVE-2026-1340, technical teams and business leaders must coordinate a rapid response.

Technical Response Actions

  1. Immediate Patching: Apply the vendor-supplied RPM hotfix (RPM 12.x.0 or RPM 12.x.1) immediately. Note that these scripts must be reapplied after any subsequent version upgrade until version 12.8.0.0 is installed.
  2. Forensic Evidence Collection: Before applying the hotfix, capture system logs, web server logs (specifically looking for unusual POST requests), and disk images. This is necessary for breach detection and to determine if exploitation has already occurred.
  3. Network Segmentation: Restrict access to the EPMM administrative interface. If possible, ensure that the management console is only accessible via a VPN or from internal trusted IP ranges.
  4. Credential Rotation: In the event of a suspected compromise, rotate all administrative credentials and certificates associated with the EPMM environment.

Strategic Considerations for Leadership

  1. Supply-Chain Evaluation: Review the security posture of all third-party management tools. Incorporating supply-chain risk monitoring into the standard procurement process helps identify high-risk vendors.
  2. Monitoring and Alerting: Invest in a dark web monitoring service to identify if corporate credentials or internal server details are being discussed in illicit marketplaces.
  3. Threat Intelligence Integration: Utilize a cyber threat intelligence platform to receive automated alerts when new vulnerabilities affecting the tech stack are disclosed.

PurpleOps Expertise and Services

PurpleOps provides comprehensive support for organizations navigating critical vulnerability disclosures like those found in Ivanti EPMM. Our approach combines proactive monitoring with reactive incident support to minimize the window of exposure.

Through our cyber threat intelligence services, we track the lifecycle of vulnerabilities from initial disclosure to active exploitation. By utilizing dark web monitoring, PurpleOps identifies if your organization’s specific assets are being targeted. This includes brand leak alerting to notify stakeholders if internal configurations are leaked during a breach.

Understanding how an attacker might exploit CVE-2026-1281 requires an offensive mindset. Our teams simulate these attacks to identify weaknesses in your configuration. Furthermore, for organizations requiring a more continuous assessment, our red team operations provide a realistic simulation of how a ransomware group would leverage an EPMM compromise to move laterally.

Given the high CVSS score, these flaws are prime candidates for ransomware deployment. Our protect ransomware services focus on hardening the environment and implementing breach detection mechanisms. We also assist in supply-chain information security, helping organizations assess the risks posed by their software vendors.

Impact of Unauthenticated Remote Code Execution

The severity of CVE-2026-1281 and CVE-2026-1340 cannot be overstated. An unauthenticated RCE vulnerability allows an attacker to bypass all perimeter security controls. If an attacker gains control over the EPMM appliance, they can:

  • Intercept Traffic: Monitor the data flowing to and from mobile devices.
  • Modify Policies: Disable security features on employee phones, such as passcodes or encryption.
  • Deploy Malicious Apps: Push malicious software to all managed mobile devices.
  • Access Internal Databases: Extract sensitive information regarding the company’s internal structure and user accounts.

Using a live ransomware API can help security teams identify the specific payloads being used in the wild to target these systems. This data is essential for updating firewall rules and EDR signatures.

Summary of Actionable Steps

Action Category Task
Identification Inventory all Ivanti EPMM appliances and record current versions.
Mitigation Apply vendor-provided RPM hotfixes (12.x.0 or 12.x.1) immediately.
Verification Check system logs for signs of unauthorized command execution.
Intelligence Use underground forum intelligence to monitor for leaked exploits.
Long-term Fix Schedule the upgrade to version 12.8.0.0 for Q1 2026.

Frequently Asked Questions (FAQ)

1. What makes CVE-2026-1281 and CVE-2026-1340 so dangerous?
Both are unauthenticated remote code execution (RCE) flaws with a CVSS score of 9.8. This means an attacker can take full control of the Ivanti EPMM server over the internet without needing any login credentials.

2. Is there an official patch available?
Ivanti has released temporary RPM hotfixes for the affected versions. A permanent resolution will be included in version 12.8.0.0, scheduled for Q1 2026.

3. How can I tell if my system has already been exploited?
Security teams should conduct breach detection by reviewing web server logs for unusual POST requests to management endpoints and checking for unexpected new administrative accounts or system processes.

4. Do I need to reapply the hotfix after an upgrade?
Yes. If you upgrade your EPMM version to any version prior to 12.8.0.0, the hotfix script must be executed again to maintain protection.

5. How can PurpleOps help?
PurpleOps offers a cyber threat intelligence platform and to identify, validate, and help remediate these critical vulnerabilities before threat actors can exploit them.