Published: Wed 04 February 2026 | Prepared by: Brandon Sawyer, Vulnerability Analyst
Ivanti has disclosed two new critical severity vulnerabilities for Endpoint Manager Mobile (EPMM); CVE-2026-1281 (CVSSv3 9.8) and CVE-2026-1340 (CVSSv3 9.8). If successfully exploited, these vulnerabilities can allow threat actors to perform unauthenticated remote code execution (RCE). Ivanti advises that these vulnerabilities affect only EPMM products and recommends immediate patching to updated versions, as they are known to be actively exploited in the wild. This guidance is reinforced by CISA adding CVE-2026-1281 to their Known Exploitable Vulnerabilities (KEV) catalog shortly after disclosure.
Both CVE-2026-1281 and CVE-2026-1340 are described as similar by the vendor. They are code injection vulnerabilities allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Ivanti's guidance states that an attacker can provide bash commands as part of malicious HTTP GET requests on endpoints that service either the "In-House Application Distribution" or "Android File Transfer Configuration" feature resulting in full operating system (OS) command access to the device. From the exposed EPMM device it is also possible for the threat actor to move laterally in the network to other devices. It is important to know that neither CVE-2026-1281 nor CVE-2026-1340 impacts Ivanti Sentry. However, the EPMM must have access to Sentry, including the execution of commands, for Sentry to function and the configuration to be maintained. Ivanti Endpoint Manager (EPM) and Ivanti Neurons for MDM are also not impacted by these CVEs.
CVE-2026-1281 and CVE-2026-1340 affect EPMM versions:
Ivanti have observed threat actors actively attempting to exploit this vulnerability in the wild so urgency in patching to resolved RPM versions, if necessary, is highly recommended.
Successful exploitation can give a threat actor the ability to execute arbitrary code, leading to:
Because this is unauthenticated and remote, internet-facing services using affected EPMM versions are at very high risk.
Apply patches immediately (recommended)
| Vulnerable Version | Patched Hotfix | Patch Availability |
|---|---|---|
| 12.5.0.0 and prior 12.6.0.0 and prior 12.7.0.0 and prior |
RPM 12.x.0.x | https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm |
| 12.5.1.0 and prior 12.6.1.0 and prior |
RPM 12.x.1.x | https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm |
Customers should apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version. Customers do not need to apply both RPMs as they are version specific, not vulnerability specific. At the time of writing, no downtime is required to apply this patch and Ivanti are not aware of any feature functionality impact with this patch.
Ivanti has noted an important disclaimer regarding patching. The RPM script does not survive a version upgrade. If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0. They strongly encourage all EPMM customers to adopt version 12.8.0.0 once it has been released later in Q1 2026. Once you have upgraded to 12.8.0.0, you will not need to reapply the RPM script.
Customers need to prefix the support.mobileiron.com credentials while using the install rpm command. The following syntax can be used at the CLI:
install rpm url https://username:password@support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm
install rpm url https://username:password@support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm
Log Analysis - CVE-2026-1281 and CVE-2026-1340 affect the In-House Application Distribution and the Android File Transfer Configuration features. The Apache Access Log (/var/log/httpd/https-access_log) will record attempted and successful exploitation of both vulnerabilities. If you use these features, you may see legitimate traffic to these endpoints. Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache Access Log whereas successful or attempted exploitation will cause 404 HTTP response codes. It is recommended reviewing these and any other GET requests with parameter that have bash commands.
Reviewing for post-exploit persistence - The most common is the introduction of, or modification of, malicious files to introduce web shell capabilities. These changes target HTTP error pages, such as 401.jsp. Any requests to these pages with POST methods or with parameters should be considered highly suspicious. Analysts who are performing forensic inspection of the disk should also review for unexpected WAR or JAR files being introduced to the system. Another is the deployment of reverse shells. The Ivanti EPMM appliance does not commonly make outbound network connections therefore, it is recommended to review firewall logs for long-running connections initiated by the appliance.
Scanning activity - It is recommended to begin scanning internet-exposed appliances as soon as patches have been implemented. However, vulnerability scanning may generate log activity that can make it more difficult to distinguish legitimate scans from potential exploitation attempts. Organisations should therefore review and validate the source IP addresses associated with scanning activity. Triskele Labs customers with the Vulnerability Scanning Service can contact the Vulnerability Management Team at any time to obtain a current list of approved scanning IPs.
More information regarding analysis guidance can be found at https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
Triskele Labs support
MDR customers: Triskele Labs is actively monitoring for behaviours consistent with exploitation of CVE-2026-1281 and CVE-2026-1340 across supported log sources and IoC.