Ivanti Endpoint Manager Mobile Pre-Auth RCE Zero-Days (CVE-2026-1281, CVE-2026-1340)
Ivanti issued emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile (EPMM)—CVE-2026-1281 and CVE-2026-1340—described as code-injection flaws that can enable pre-auth remote code execution. Reporting indicates successful exploitation could allow attackers to run arbitrary code and potentially access sensitive device and user data managed by EPMM, elevating risk for organizations using the product for mobile device management.
Technical discussion and community commentary amplified the disclosure, pointing to detailed research write-ups (including analysis focused on exploitation mechanics) and reinforcing the urgency of patching internet-exposed EPMM instances. Separate industry coverage during the same period also emphasized broader 2026 security priorities (AI-enabled social engineering, quantum-readiness, and general vulnerability management), but did not add incident-specific details about the Ivanti EPMM zero-days beyond the general call to improve patching discipline.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
EU reports sharp rise in breach notifications and sustained GDPR enforcement
Late-January reporting said EU data breach notifications had risen 22%, averaging more than 400 per day, while GDPR fines in 2025 totaled about €1.2 billion. The increase came amid policy reform discussions tied to Digital Omnibus, NIS2, and DORA.
ShinyHunters-linked phishing and vishing hit multiple U.S. companies
Employees at several U.S. companies were targeted in phishing and vishing attacks, with ShinyHunters claiming responsibility and issuing extortion demands. The activity highlighted continued reliance on social engineering for initial access and pressure tactics.
Cyble discloses ShadowHS Linux post-exploitation framework
Cyble reported on ShadowHS, a stealthy fileless in-memory Linux post-exploitation framework that uses AES-encrypted payloads and memory execution to evade detection. The tooling was described as supporting credential theft, lateral movement, privilege escalation, cryptomining, and data exfiltration.
Cyberattack disrupts Delta alarm and vehicle security services
Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack that disrupted services for tens of thousands of customers. The company said there was no confirmed customer data breach, though an unverified leaked dataset was reportedly circulating online.
CISA adds CVE-2026-1281 to KEV and orders rapid federal remediation
CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog and gave U.S. federal civilian agencies a two-day deadline to remediate. This indicated active exploitation serious enough to trigger urgent government action.
Ivanti releases emergency patches for two EPMM zero-days
Ivanti issued emergency fixes for two critical pre-authentication code injection vulnerabilities in Endpoint Manager Mobile, tracked as CVE-2026-1281 and CVE-2026-1340. The flaws were described as zero-days affecting EPMM deployments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) - watchTowr Labs : r/netsec
reddit.com
Open sourceThe Cyber Express Weekly Roundup: Jan 2026 Threats & Trends
thecyberexpress.com
Open sourceOut-of-the-Box Expectations for 2026 Reveal a Grab-Bag of Risk
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two **critical, actively exploited** Ivanti Endpoint Manager Mobile (*EPMM*) vulnerabilities—**CVE-2026-1281** and **CVE-2026-1340**—described as unauthenticated code-injection issues enabling **remote code execution (RCE)** with a **CVSS 9.8** rating. Ivanti reported exploitation affecting a *very limited number* of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings. Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM **12.5.x, 12.6.x, and 12.7.x** (including **12.5.1.0** and **12.6.1.0** and earlier as specified), while Ivanti’s cloud offerings (e.g., *Ivanti Neurons for MDM*) and *Ivanti Endpoint Manager (EPM)* are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in **EPMM 12.8.0.0**; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
May 7, 2026
Ivanti EPMM Zero-Day CVE-2026-6973 Exploited via Stolen Admin Credentials
Ivanti disclosed active exploitation of **CVE-2026-6973**, a high-severity improper input validation flaw in on-premises **Endpoint Manager Mobile (EPMM)** that allows remote code execution when used with administrator authentication. The company said exploitation has been limited to a small number of customers and assessed with high confidence that attackers are using administrator credentials stolen during earlier January attacks involving **CVE-2026-1281** and **CVE-2026-1340**. Affected versions are EPMM releases prior to **12.6.1.1**, **12.7.0.1**, and **12.8.0.1**; Ivanti said **Neurons for MDM**, **EPM**, **Sentry**, and other products are not affected. Ivanti also patched four additional high-severity EPMM flaws—**CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**—covering certificate validation and access-control weaknesses that could enable host impersonation, unauthorized access, arbitrary method invocation, and unauthorized device enrollment, though the vendor said it has no evidence those bugs were exploited. **CISA** added CVE-2026-6973 to its **Known Exploited Vulnerabilities** catalog and ordered U.S. federal agencies to remediate by **May 10, 2026**, while national cyber agencies in Canada and Finland urged immediate patching. Ivanti advised customers to rotate EPMM administrator credentials, review privileged accounts, hunt for compromise artifacts such as webshells and reverse shells, and reduce public exposure of management interfaces; internet scans have identified more than **850** exposed EPMM instances, mainly in Europe and North America.
May 10, 2026
Ivanti EPMM Zero-Day Exploitation Exposed Sensitive Government and Enterprise Data
Ivanti warned that two critical zero-day flaws in **Endpoint Manager Mobile (EPMM)** — `CVE-2026-1281` and `CVE-2026-1340` — were being actively exploited, and subsequent reporting described rapid mass exploitation after proof-of-concept code became public. The attacks hit internet-facing EPMM systems used to manage mobile devices, with incident responders documenting a fully automated intrusion chain that successfully exfiltrated sensitive EPMM data and leveraged lesser-known product behaviors alongside an open-source offensive framework. Germany's BSI also issued an alert on active attacks, underscoring the broad operational impact of the campaign. The exploitation wave affected both opportunistic victims and targeted organizations, including governments. Dutch authorities disclosed that attackers had maintained access to the Dutch Custodial Institutions Agency's EPMM server for about five months, exposing employee names, email addresses, phone numbers, and location data, with officials warning of elevated blackmail and extortion risks. Ivanti's earlier handling of **EPMM** flaws, including `CVE-2023-35082`, had already shown that internet-exposed deployments could enable unauthorized access to personally identifiable information, but the company separately clarified that a later May 2026 advisory for **Endpoint Manager (EPM)** — covering `CVE-2026-8109`, `CVE-2026-8110`, and `CVE-2026-8111` — involved a different product and was not tied to the EPMM zero-day exploitation.
May 25, 2026