Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two critical, actively exploited Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—CVE-2026-1281 and CVE-2026-1340—described as unauthenticated code-injection issues enabling remote code execution (RCE) with a CVSS 9.8 rating. Ivanti reported exploitation affecting a very limited number of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings.
Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM 12.5.x, 12.6.x, and 12.7.x (including 12.5.1.0 and 12.6.1.0 and earlier as specified), while Ivanti’s cloud offerings (e.g., Ivanti Neurons for MDM) and Ivanti Endpoint Manager (EPM) are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in EPMM 12.8.0.0; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Ivanti discloses exploited EPMM flaw CVE-2026-6973
On May 7, 2026, Ivanti issued a security advisory for on-premises Endpoint Manager Mobile disclosing multiple vulnerabilities and confirmed active exploitation of CVE-2026-6973. The company said exploitation was very limited at disclosure, urged customers to patch immediately, and stated that Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, and other Ivanti products were not affected.
CISA adds CVE-2026-1340 to KEV and orders federal remediation
By April 8, 2026, CISA had added Ivanti EPMM flaw CVE-2026-1340 to its Known Exploited Vulnerabilities catalog, citing exploitation since January. Federal Civilian Executive Branch agencies were ordered under BOD 22-01 to remediate affected systems by April 11, 2026.
BSI says Ivanti EPMM exploitation dates back to summer 2025
In a February 13, 2026 update cited by Finland's Traficom, Germany's BSI reported that exploitation of the Ivanti EPMM flaws had already occurred as early as summer 2025. The update advised organizations to review historical indicators of compromise, extending the suspected intrusion window well before the January 2026 public disclosure.
watchTowr says multiple threat actors are exploiting the EPMM flaws globally
By February 5, 2026, watchTowr Labs reported seeing multiple threat actors exploiting CVE-2026-1281 and CVE-2026-1340 in global attacks, even as Ivanti disputed a combined exploit chain. Researchers urged organizations with internet-exposed vulnerable EPMM instances to assume compromise, rebuild affected systems, and begin incident response.
Researchers observe broader post-disclosure exploitation surge
In the days after disclosure, researchers and telemetry providers reported exploitation attempts increasing from multiple source IPs against internet-exposed EPMM systems. CyberScoop and later SC Media cited evidence that activity escalated beyond the initially limited victim set.
Shadowserver reports spike in exploitation attempts against CVE-2026-1281
On Saturday, January 31, 2026, the Shadowserver Foundation observed a surge in attempted exploitation of CVE-2026-1281. Reporting published afterward also noted that more than 1,400 Ivanti EPMM instances remained exposed to the internet.
Rapid7 reports heavy exploitation activity in honeypot telemetry
By January 30, 2026, Rapid7 said it had observed substantial exploitation activity targeting the EPMM flaws, including reverse shells over port 443, web shell attempts, and automated droppers. The company also highlighted the risk of PII exposure and lateral movement from a compromised EPMM server.
watchTowr reverse-engineers the patches and releases exploit details
On January 30, 2026, watchTowr Labs analyzed Ivanti's interim patches, traced the flaws to Bash-based URL-mapping scripts, and published proof-of-concept exploitation details for pre-auth remote command execution. The research showed how crafted HTTP requests could trigger command execution through subtle Bash arithmetic-expansion behavior.
Ivanti publishes compromise-hunting and recovery guidance
At disclosure, Ivanti advised defenders to review Apache access logs and look for suspicious requests, web shells, reverse shells, and unexpected WAR or JAR files, while warning that reliable IOCs were limited and logs may be tampered with. For suspected compromise, the company recommended restoring from known-good backups or rebuilding appliances, plus resetting credentials and certificates.
CISA adds CVE-2026-1281 to the KEV catalog
On January 29, 2026, CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog because of active exploitation. U.S. federal civilian agencies were ordered to mitigate or discontinue use of affected systems by early February under BOD 22-01.
Ivanti discloses two exploited EPMM zero-days and issues interim patches
On January 29, 2026, Ivanti disclosed CVE-2026-1281 and CVE-2026-1340, two critical unauthenticated code-injection flaws in Endpoint Manager Mobile (EPMM) that were already exploited against a limited number of customers. The company released version-specific RPM hotfixes, said cloud products and EPM were not affected, and said a permanent fix would come in EPMM 12.8.0.0 later in Q1 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
26 references tracked. Mallory keeps watching after this page renders.
New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks
cybersecuritynews.com
Open sourceWarning: Authenticated Remote Code Execution Vulnerability in Ivanti EPMM Exploited, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceMay 2026 Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (Multiple CVEs)
hub.ivanti.com
Open sourceCISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceIvanti warns of two EPMM flaws exploited in zero-day attacks
bleepingcomputer.com
Open sourceKriittisiä haavoittuvuuksia Ivanti Endpoint Manager Mobile (EPMM) -tuotteessa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittisiä haavoittuvuuksia Ivanti Endpoint Manager Mobile (EPMM) -tuotteessa | Kyberturvallisuuskeskus
kyberturvallisuuskeskus.fi
Open sourceKriittisiä haavoittuvuuksia Ivanti Endpoint Manager Mobile (EPMM) -tuotteessa | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti Endpoint Manager Mobile Pre-Auth RCE Zero-Days (CVE-2026-1281, CVE-2026-1340)
Ivanti issued emergency patches for two **critical zero-day** vulnerabilities in *Endpoint Manager Mobile (EPMM)*—**CVE-2026-1281** and **CVE-2026-1340**—described as code-injection flaws that can enable **pre-auth remote code execution**. Reporting indicates successful exploitation could allow attackers to run arbitrary code and potentially access sensitive device and user data managed by EPMM, elevating risk for organizations using the product for mobile device management. Technical discussion and community commentary amplified the disclosure, pointing to detailed research write-ups (including analysis focused on exploitation mechanics) and reinforcing the urgency of patching internet-exposed EPMM instances. Separate industry coverage during the same period also emphasized broader 2026 security priorities (AI-enabled social engineering, quantum-readiness, and general vulnerability management), but did not add incident-specific details about the Ivanti EPMM zero-days beyond the general call to improve patching discipline.
Mar 21, 2026
Ivanti EPMM Zero-Day CVE-2026-6973 Exploited via Stolen Admin Credentials
Ivanti disclosed active exploitation of **CVE-2026-6973**, a high-severity improper input validation flaw in on-premises **Endpoint Manager Mobile (EPMM)** that allows remote code execution when used with administrator authentication. The company said exploitation has been limited to a small number of customers and assessed with high confidence that attackers are using administrator credentials stolen during earlier January attacks involving **CVE-2026-1281** and **CVE-2026-1340**. Affected versions are EPMM releases prior to **12.6.1.1**, **12.7.0.1**, and **12.8.0.1**; Ivanti said **Neurons for MDM**, **EPM**, **Sentry**, and other products are not affected. Ivanti also patched four additional high-severity EPMM flaws—**CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**—covering certificate validation and access-control weaknesses that could enable host impersonation, unauthorized access, arbitrary method invocation, and unauthorized device enrollment, though the vendor said it has no evidence those bugs were exploited. **CISA** added CVE-2026-6973 to its **Known Exploited Vulnerabilities** catalog and ordered U.S. federal agencies to remediate by **May 10, 2026**, while national cyber agencies in Canada and Finland urged immediate patching. Ivanti advised customers to rotate EPMM administrator credentials, review privileged accounts, hunt for compromise artifacts such as webshells and reverse shells, and reduce public exposure of management interfaces; internet scans have identified more than **850** exposed EPMM instances, mainly in Europe and North America.
May 10, 2026
Critical Ivanti EPMM RCE Flaws Exploited to Compromise On-Premises Servers
Ivanti warned that its on-premises **Endpoint Manager Mobile (EPMM)** product contains two critical vulnerabilities, **`CVE-2026-1281`** and **`CVE-2026-1340`**, that can let an unauthenticated remote attacker execute arbitrary commands or code over the network. The flaws affect exposed EPMM servers and create a path to full server compromise and possible lateral movement into internal environments. Ivanti said its cloud offerings, including **Ivanti Neurons for MDM**, and the separate **Ivanti Endpoint Manager (EPM)** product are not affected, and it released patches, incident-response guidance, and a detection tool to help customers assess exposure and compromise. Follow-up advisories said the vulnerabilities are being **actively exploited**, prompting defenders to inspect EPMM systems for anomalous logs, unauthorized administrator-account changes, and suspicious device-configuration modifications. A later update citing Germany's **BSI** said exploitation may date back to **summer 2025**, expanding the scope of required forensic review beyond recent activity. Public reporting from security researchers, including Palo Alto Networks Unit 42 and vulnerability tracking sources, reinforced that the issue is an unauthenticated remote code execution risk requiring immediate patching and retrospective compromise hunting on affected on-premises deployments.
May 25, 2026