Ivanti Patches Exploited EPMM Zero-Days

Ivanti has released urgent security updates addressing two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) platform, which have already been exploited in the wild. The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, carry a CVSS score of 9.8 and allow unauthenticated attackers to execute remote code, potentially compromising sensitive organizational data.

The vulnerabilities affect EPMM’s in-house application distribution and Android file transfer features. Successful exploitation could give attackers access to administrator credentials, user account details, and mobile device information, including phone numbers, IP addresses, IMEIs, UUIDs, and application metadata. Attackers could also move laterally across networks and manipulate EPMM configurations, such as adding admin accounts, modifying authentication policies, and deploying new apps.

Ivanti confirmed that only a limited number of customers have experienced exploitation so far. The affected versions include EPMM 12.5.0.0, 12.6.0.0, 12.7.0.0, 12.5.1.0, and 12.6.1.0. The company has provided version-specific RPM patches to remediate the vulnerabilities. Customers are advised to apply the patch corresponding to their EPMM version and to reapply it if they upgrade to a newer release. Ivanti recommends upgrading to EPMM version 12.8.0.0, expected in Q1 2026, which will eliminate the need for repeated patch applications.

Exploitation Techniques and Detection

While details on the threat actors exploiting these zero-days remain limited, Ivanti notes that previous EPMM attacks commonly relied on web shell deployments targeting HTTP error pages and reverse shells. Indicators of compromise include unexpected WAR or JAR files and outbound connections logged by firewalls. Threat actors may also attempt to erase or manipulate log entries to hide their activity.

Recommended Remediation Steps

Organizations that detect a compromise should restore affected appliances from clean backups or build a fresh instance and migrate data. Ivanti explicitly advises against attempting to clean an already compromised system. Systems should remain offline during recovery, and all relevant patches and mitigations should be applied before reconnecting to the network. Additionally, organizations should reset passwords for all local, LDAP, and KDC accounts, as well as revoke and replace any public certificates used by EPMM.

CISA Adds CVE-2026-1281 to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch the flaw by February 1, 2026. Although the directive legally applies only to federal civilian agencies, CISA urges all organizations to prioritize timely remediation of high-risk vulnerabilities to reduce exposure to cyberattacks.

Ivanti continues to monitor the situation and provides guidance to help customers protect their EPMM environments while full updates are deployed.