How can organizations mitigate the risks associated with these vulnerabilities?

Organizations should apply the interim patches provided by Ivanti immediately and monitor for the release of the permanent fix in version 12.8.0.0. Additionally, reviewing logs for signs of compromise is recommended.

Why is it crucial to address these vulnerabilities promptly?

Given the active exploitation of these vulnerabilities, prompt remediation is essential to prevent unauthorized access, data breaches, and potential establishment of persistence by attackers.

This entry was generated by Aviatrix’s agentic AI workflow using verified public sources. It has not been reviewed or confirmed by human analysts. This content is provided for research and awareness only and should not be used as the sole basis for security, operational, or policy decisions. The entry may be updated as verification progresses or new information emerges. Aviatrix disclaims all liability for any and all damages resulting from decisions based on this entry.

Critical Zero-Day Vulnerabilities in Ivanti EPMM Exploited: Immediate Action Required

Ivanti's Endpoint Manager Mobile software is under active attack due to two critical zero-day vulnerabilities. Organizations must apply patches immediately to mitigate risks.

Published: February 4, 2026

Share this on:

Executive Summary

In January 2026, Ivanti disclosed two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, in its Endpoint Manager Mobile (EPMM) software. Both vulnerabilities, with a CVSS score of 9.8, allow unauthenticated remote code execution. Prior to disclosure, a limited number of customers were exploited, enabling attackers to execute arbitrary commands, access sensitive data, and potentially establish persistence through web shells. Ivanti released interim patches and plans a permanent fix in version 12.8.0.0. Organizations are urged to apply patches promptly and review logs for signs of compromise. (cyberscoop.com)

This incident underscores the persistent targeting of network edge devices by threat actors, highlighting the critical need for timely patch management and vigilant monitoring of security advisories to mitigate risks associated with zero-day vulnerabilities.

Why This Matters Now

The active exploitation of these zero-day vulnerabilities in Ivanti's EPMM software poses an immediate threat to organizations, emphasizing the urgency of applying available patches and conducting thorough security assessments to prevent unauthorized access and potential data breaches.

Attack Path Analysis

Attackers exploited unauthenticated remote code execution vulnerabilities in Ivanti EPMM to gain initial access. They then escalated privileges by deploying web shells, enabling persistent control over the compromised systems. Utilizing these elevated privileges, attackers moved laterally within the network, accessing sensitive data and systems. They established command and control channels to exfiltrate data and maintain communication. Subsequently, they exfiltrated sensitive information stored on the EPMM appliance. Finally, the attackers potentially disrupted operations by modifying configurations or deploying additional malicious payloads.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Lowinferred

Initial Compromise

Description

Attackers exploited unauthenticated remote code execution vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti EPMM to gain initial access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-1281
CVSS 9.8
A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated remote code execution.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – 11.10, 11.9, 11.8
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-1281 https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281
CVE-2026-1340
CVSS 9.8
A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated remote code execution.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – 11.10, 11.9, 11.8
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-1340 https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Initial Access

T1190

Exploit Public-Facing Application

Initial Access

T1133

External Remote Services

Execution

T1203

Exploitation for Client Execution

Execution

T1059.001

Command and Scripting Interpreter: PowerShell

Persistence

T1505.003

Server Software Component: Web Shell

Defense Evasion

T1078

Valid Accounts

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Control ID: 6.2

The exploitation of unpatched vulnerabilities in Ivanti EPMM indicates a failure to apply critical security patches promptly, exposing systems to potential breaches.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy, particularly in vulnerability management and incident response planning.

DORA – ICT Risk Management Framework

Control ID: Article 5

The successful exploitation of vulnerabilities points to deficiencies in the ICT risk management framework, failing to identify and mitigate risks associated with software vulnerabilities.

CISA ZTMM 2.0 – Implement strong authentication mechanisms to verify user identities.

Control ID: Pillar 1: Identity

The authentication bypass vulnerability exploited indicates a lapse in implementing robust authentication controls, undermining the zero trust security model.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals shortcomings in the implementation of appropriate technical and organizational measures to manage cybersecurity risks, as mandated by the directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

Critical zero-day vulnerabilities in Ivanti EPMM expose IT infrastructure to remote code execution, requiring immediate patching and incident response across multi-cloud environments.

Health Care / Life Sciences

EPMM zero-days threaten HIPAA compliance through potential data exfiltration and lateral movement, compromising patient data protection and encrypted traffic security controls.

Financial Services

Mobile device management vulnerabilities enable privilege escalation and command-and-control attacks, violating PCI compliance requirements and exposing sensitive financial transaction data.

Government Administration

State-sponsored adversaries actively exploiting Ivanti zero-days pose national security risks through network edge compromise and unauthorized access to classified systems.

Sources

Ivanti’s EPMM is under active attack, thanks to two critical zero-dayshttps://cyberscoop.com/ivanti-endpoint-manager-mobile-zero-day-vulnerabilities-exploit/
Verified

Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1281 and CVE-2026-1340https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340

Verified

CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281

Verified

Frequently Asked Questions

The vulnerabilities are CVE-2026-1281 and CVE-2026-1340, both critical code injection flaws allowing unauthenticated remote code execution in Ivanti's Endpoint Manager Mobile software.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Implementing Aviatrix Zero Trust CNSF would likely have constrained the attacker's ability to move laterally and exfiltrate data, thereby reducing the overall impact of the incident.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been limited by reducing the exposure of vulnerable services through identity-aware policies.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges and establish persistence could have been constrained by limiting access to sensitive systems.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the network may have been limited, reducing access to sensitive data and systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels could have been constrained, limiting data exfiltration and communication.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts may have been limited, reducing the volume of sensitive information accessed.

Impact (Mitigations)

The attacker's ability to disrupt operations may have been limited, reducing the overall impact on system functionality.

Impact at a Glance

Affected Business Functions

Mobile Device Management
Application Control
Security Policy Enforcement

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of sensitive corporate data managed through mobile devices.

Recommended Actions

• Apply the latest patches provided by Ivanti to remediate CVE-2026-1281 and CVE-2026-1340 vulnerabilities.
• Implement Zero Trust Segmentation to limit lateral movement within the network.
• Enhance East-West Traffic Security to monitor and control internal traffic flows.
• Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Zero-Day Vulnerabilities in Ivanti EPMM Exploited: Immediate Action Required

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-1281

Affected Products:

Exploit Status:

References:

CVE-2026-1340

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

External Remote Services

Exploitation for Client Execution

Command and Scripting Interpreter: PowerShell

Server Software Component: Web Shell

Valid Accounts

Application Layer Protocol: Web Protocols

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Implement strong authentication mechanisms to verify user identities.

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Health Care / Life Sciences

Financial Services

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads