Ivanti disclosed two critical code‑injection zero‑day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, both rated CVSS 9.8 and observed in limited active exploitation. Ivanti released RPM hotfixes that require no downtime but must be reapplied after upgrades and provided detection and remediation guidance while a permanent fix arrives in EPMM 12.8.0.0. #Ivanti #EPMM #CVE-2026-1281 #CVE-2026-1340 #CISA
Keypoints
- Two unauthenticated code-injection flaws in EPMM (CVE-2026-1281, CVE-2026-1340) allow remote arbitrary code execution and are rated 9.8.
- Ivanti reports limited zero-day exploitation and CISA added CVE-2026-1281 to its KEV catalog with a February 1, 2026 mitigation deadline for federal agencies.
- RPM hotfixes are available for affected versions with no downtime, but hotfixes do not survive appliance upgrades and must be reapplied until EPMM 12.8.0.0 is released.
- Successful exploitation can expose administrator and user credentials, device identifiers (IMEI, MAC), contact and location data, and permit configuration changes via the API or web console.
- Ivanti provided a regex to detect exploitation in Apache access logs and advises restoring from known-good backups or rebuilding appliances, then rotating passwords and certificates if compromise is suspected.