Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in 2026
Executive Summary
In January 2026, Ivanti disclosed two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in its Endpoint Manager Mobile (EPMM) platform, both with a CVSS score of 9.8. These code injection flaws allow unauthenticated remote code execution, enabling attackers to gain full control over affected systems. Exploitation in the wild has been confirmed, with a limited number of customers compromised prior to disclosure. The vulnerabilities affect EPMM versions up to 12.7.0.0, and Ivanti has released RPM patches to address them. Organizations are urged to apply these patches immediately and monitor for signs of compromise. (ivanti.com)
The inclusion of CVE-2026-1281 in CISA's Known Exploited Vulnerabilities catalog underscores the severity and active exploitation of these flaws. This incident highlights the ongoing threat posed by zero-day vulnerabilities in widely used enterprise solutions, emphasizing the need for proactive vulnerability management and rapid response strategies.
Why This Matters Now
The active exploitation of these critical vulnerabilities in Ivanti's EPMM platform poses an immediate risk to organizations, potentially leading to unauthorized access and control over sensitive systems. Prompt patching and vigilant monitoring are essential to mitigate this threat.
Attack Path Analysis
Attackers exploited unauthenticated code injection vulnerabilities in Ivanti EPMM to gain initial access. They then established persistence through web shells or reverse shells, enabling arbitrary code execution. With control over the EPMM appliance, attackers accessed sensitive data and potentially moved laterally within the network. Command and control were maintained via the compromised appliance, facilitating further malicious activities. Data exfiltration was possible through unauthorized access to device information and configurations. The impact included potential data breaches, system compromise, and operational disruptions.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited unauthenticated code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti EPMM to execute arbitrary code remotely.
Related CVEs
CVE-2026-1281
CVSS 9.8A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated remote attackers to execute arbitrary code.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – 12.5.0.0 and prior, 12.6.0.0 and prior, 12.7.0.0 and prior
Exploit Status:
exploited in the wildCVE-2026-1340
CVSS 9.8A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated remote attackers to execute arbitrary code.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – 12.5.0.0 and prior, 12.6.0.0 and prior, 12.7.0.0 and prior
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Exploit Public-Facing Application
Server Software Component: Web Shell
Valid Accounts
Lateral Tool Transfer
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical zero-day RCE vulnerabilities in Ivanti EPMM mobile device management create severe risks for government endpoints and classified data protection systems.
Health Care / Life Sciences
Zero-day exploits targeting mobile endpoint management threaten HIPAA compliance and patient data security across healthcare organizations using Ivanti EPMM solutions.
Financial Services
Banking and financial institutions face critical mobile device security risks from actively exploited Ivanti EPMM vulnerabilities enabling remote code execution attacks.
Higher Education/Acadamia
Educational institutions managing student and faculty mobile devices through Ivanti EPMM face immediate security threats from these actively exploited zero-day vulnerabilities.
Sources
- Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Releasedhttps://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.htmlVerified
- EPMM Security Updatehttps://www.ivanti.com/blog/epmm-security-updateVerified
- Ivanti warns of two EPMM flaws exploited in zero-day attackshttps://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, Aviatrix CNSF would likely limit the attacker's ability to escalate privileges or access other resources within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to access sensitive resources, even with elevated privileges, by enforcing strict access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely constrain lateral movement by monitoring and controlling internal traffic flows, reducing the attacker's ability to propagate.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely detect and alert on anomalous command and control activities, potentially disrupting the attacker's persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely restrict unauthorized data exfiltration by controlling outbound traffic and enforcing egress policies.
While some impact may still occur, Aviatrix Zero Trust CNSF would likely reduce the overall blast radius by limiting the attacker's reach and ability to cause widespread damage.
Impact at a Glance
Affected Business Functions
- Mobile Device Management
- Enterprise Configuration Management
- Security Policy Enforcement
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive enterprise configuration data and managed device information.
Recommended Actions
Key Takeaways & Next Steps
- • Apply the latest security patches provided by Ivanti to address CVE-2026-1281 and CVE-2026-1340 vulnerabilities.
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Enhance East-West Traffic Security to monitor and control internal communications.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Establish Multicloud Visibility & Control to detect and respond to anomalous activities across environments.
