Ivanti Endpoint Manager Mobile Pre-Auth RCE Zero-Days (CVE-2026-1281, CVE-2026-1340)
Ivanti issued emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile (EPMM)—CVE-2026-1281 and CVE-2026-1340—described as code-injection flaws that can enable pre-auth remote code execution. Reporting indicates successful exploitation could allow attackers to run arbitrary code and potentially access sensitive device and user data managed by EPMM, elevating risk for organizations using the product for mobile device management.
Technical discussion and community commentary amplified the disclosure, pointing to detailed research write-ups (including analysis focused on exploitation mechanics) and reinforcing the urgency of patching internet-exposed EPMM instances. Separate industry coverage during the same period also emphasized broader 2026 security priorities (AI-enabled social engineering, quantum-readiness, and general vulnerability management), but did not add incident-specific details about the Ivanti EPMM zero-days beyond the general call to improve patching discipline.
Sources
Related Stories
Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two **critical, actively exploited** Ivanti Endpoint Manager Mobile (*EPMM*) vulnerabilities—**CVE-2026-1281** and **CVE-2026-1340**—described as unauthenticated code-injection issues enabling **remote code execution (RCE)** with a **CVSS 9.8** rating. Ivanti reported exploitation affecting a *very limited number* of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings. Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM **12.5.x, 12.6.x, and 12.7.x** (including **12.5.1.0** and **12.6.1.0** and earlier as specified), while Ivanti’s cloud offerings (e.g., *Ivanti Neurons for MDM*) and *Ivanti Endpoint Manager (EPM)* are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in **EPMM 12.8.0.0**; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
1 months ago
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
3 weeks agoMultiple Remote Code Execution Vulnerabilities in Ivanti Endpoint Manager
Ivanti Endpoint Manager has been found to contain several critical vulnerabilities that could allow remote code execution (RCE) by attackers. The Zero Day Initiative (ZDI) disclosed thirteen vulnerabilities affecting undisclosed versions of Ivanti Endpoint Manager, with several remaining unpatched at the time of disclosure. Among these, ZDI-25-935 is particularly severe, enabling a remote, unauthenticated attacker to achieve RCE if they can trick a user into visiting a malicious webpage or opening a malicious file. Alternatively, attackers with administrative credentials can exploit this vulnerability without user interaction. This flaw arises from improper validation of user-supplied paths in the OnSaveToDB method, resulting in a path traversal vulnerability. Another significant vulnerability, ZDI-25-952 (CVE-2025-9872), involves the UniqueFilename attribute, where insufficient validation allows unrestricted file uploads. Exploitation of this flaw enables attackers to execute arbitrary code in the context of the NETWORK SERVICE account, again requiring either user interaction or administrative credentials. The CVSS score for these vulnerabilities is high, with ZDI-25-935 and ZDI-25-952 both rated at 8.8, indicating a critical risk to organizations using affected versions of Ivanti Endpoint Manager. Additional vulnerabilities, such as ZDI-25-936 and ZDI-25-947, involve SQL injection and privilege escalation, further increasing the attack surface. The SQL injection vulnerabilities stem from improper validation of user-supplied strings in the Report_Run and Report_Run2 classes, allowing attackers to execute code as the service account. Ivanti has responded by issuing updates to address at least some of these vulnerabilities, specifically releasing a patch for CVE-2025-9872. The vulnerabilities were reported to Ivanti in June 2025, with coordinated public disclosure occurring in October 2025. Attackers exploiting these flaws could gain significant control over affected systems, potentially leading to data theft, lateral movement, or disruption of endpoint management operations. Organizations are strongly advised to identify Ivanti Endpoint Manager installations within their networks and apply the latest security updates as soon as possible. The vulnerabilities highlight the importance of robust input validation and secure file handling in enterprise software. Security teams should also review user privileges and monitor for suspicious activity related to file uploads or unusual database queries. Given the critical nature of these vulnerabilities and the potential for exploitation, prompt remediation and heightened vigilance are essential for organizations relying on Ivanti Endpoint Manager.
5 months ago