CyberLeveling Logo
Ivanti EPMM Critical RCE Vulnerabilities

Understanding Ivanti EPMM Critical RCE Vulnerabilities (CVE-2026-1281 & CVE-2026-1340)

Jan 30, 2026

Ivanti products have become a frequent target for threat actors due to their widespread deployment in enterprise environments and their privileged access to networks and devices. In early 2026, Ivanti disclosed two critical vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) that significantly raise the risk profile for organizations running on-premises deployments.

These vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated remote code execution (RCE) and have been confirmed as actively exploited in the wild.

This post explains what these CVEs are, how they work at a high level, why they are dangerous, and what organizations should do immediately.

What Is Ivanti?

Ivanti is an enterprise IT software company that develops tools for IT service management (ITSM), endpoint security, patch management, identity access, and network security. Its products are widely used by medium to large organizations to manage devices, users, and infrastructure across on-premises and remote environments.

Ivanti solutions often operate with high privileges and deep visibility into enterprise networks. This makes them powerful, but also highly attractive targets for attackers when vulnerabilities are discovered.

What Is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM) is a Unified Endpoint Management (UEM) platform.

It is designed to manage, secure, and monitor mobile and endpoint devices across an organization.

EPMM Is Commonly Used To:

  • Enroll and manage mobile devices such as iOS and Android
  • Enforce security policies including passcodes, encryption, and compliance
  • Distribute enterprise applications
  • Control device configurations and updates
  • Perform remote actions such as lock, wipe, and reset
  • Integrate with identity providers and directory services
  • Support Bring Your Own Device (BYOD) environments

In many organizations, EPMM acts as a central control plane for thousands of corporate or employee-owned devices.

Why EPMM Is a High-Value Target

Because of its role, EPMM typically has:

  • Administrative access to managed devices
  • Credentials or tokens tied to directory services
  • Network-level trust inside the enterprise
  • The ability to push software and configurations remotely

If an attacker compromises EPMM, they may be able to:

  • Take control of enrolled devices
  • Distribute malicious applications
  • Harvest sensitive corporate data
  • Move laterally into internal systems
  • Establish long-term persistence

This is why unauthenticated remote code execution vulnerabilities such as CVE-2026-1281 and CVE-2026-1340 are considered critical risk issues rather than routine bugs.

How This Relates to the CVEs

The vulnerabilities discussed in this advisory affect on-premises EPMM deployments, where the organization is responsible for server exposure, patch management, and monitoring.

When EPMM is exposed to the internet and left unpatched, attackers can exploit these flaws without credentials, potentially gaining control over both the management platform and the devices it controls.

What Are CVE-2026-1281 and CVE-2026-1340?

Both CVEs are code injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). When exploited, they allow an attacker to send specially crafted requests that are improperly handled by the application, resulting in arbitrary command execution on the EPMM server.

Key Characteristics

  • Attack Vector: Network
  • Authentication Required: ❌ None
  • Impact: Full remote code execution
  • Severity: Critical (CVSS 9.8)
  • Exploit Status: Confirmed active exploitation

Because EPMM often runs with elevated privileges and manages mobile devices, a successful exploit can have cascading consequences across an organization.

Affected Products

These vulnerabilities affect on-premises Ivanti Endpoint Manager Mobile (EPMM) installations.

At the time of disclosure, the following versions were impacted:

  • EPMM 12.5.x
  • EPMM 12.6.x
  • EPMM 12.7.x

Note: Ivanti cloud-hosted services and unrelated Ivanti products are not affected by these specific CVEs.

Why These Vulnerabilities Are Especially Dangerous

1. Unauthenticated Access

Attackers do not need valid credentials. Any exposed EPMM instance reachable from the internet is potentially exploitable.

2. Remote Code Execution

RCE vulnerabilities represent the highest risk class because they allow attackers to:

  • Install web shells or backdoors
  • Exfiltrate sensitive data
  • Move laterally inside the network
  • Push malicious applications or configurations to managed devices

3. Real-World Exploitation

At least one of the vulnerabilities has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are already using it in real attacks.

Historically, Ivanti vulnerabilities have been leveraged by both ransomware groups and state-aligned actors, making rapid response critical.

How Ivanti Responded

Ivanti released emergency mitigation patches (RPM hotfixes) for affected EPMM versions. These patches address the immediate exploitation risk but are considered temporary mitigations.

A permanent fix is expected in a future major EPMM release (12.8 or later).

Important considerations:

  • Emergency RPM patches do not persist through major upgrades
  • Organizations must reapply mitigations if upgrading before a fixed release
  • Delaying patching significantly increases compromise risk

Recommended Actions for Organizations

1. Patch Immediately

Apply Ivanti’s emergency RPM patches for your EPMM version without delay.

If patching cannot be completed immediately:

  • Restrict external access to EPMM
  • Place the system behind a VPN or IP allowlist
  • Monitor aggressively for suspicious activity

2. Hunt for Indicators of Compromise (IOCs)

Security teams should review:

  • Web server logs for suspicious POST requests
  • Unexpected files (WAR, JSP, JAR) on the appliance
  • Unusual outbound network connections
  • Unexpected admin account creation or configuration changes

If compromise is suspected, treat the system as fully breached and follow incident response procedures.

3. Reduce Attack Surface

Do not expose EPMM directly to the internet unless absolutely required.

  • Enforce network segmentation
  • Limit administrative access
  • Apply a Web Application Firewall (WAF) where feasible

4. Plan for a Permanent Upgrade

Track Ivanti’s release of a fully patched version and plan to upgrade as soon as it becomes available.

Lessons Learned

These CVEs reinforce several important security principles:

  • Edge and management systems are high-value targets
  • Unauthenticated RCE flaws require immediate action
  • Patch delays dramatically increase risk
  • Assume compromise when exploitation is confirmed in the wild

Organizations using Ivanti products should treat vulnerability management as a continuous operational priority, not a periodic task.

Final Thoughts

CVE-2026-1281 and CVE-2026-1340 are a stark reminder that infrastructure and device-management platforms sit at the heart of enterprise security. When they fail, the blast radius is large.

Rapid patching, proactive monitoring, and long-term architectural hardening are the only effective defenses.