Critical Ivanti EPMM Vulnerabilities Under Active Exploitation

Ivanti has issued an urgent security advisory, disclosing two critical pre-authentication Remote Code Execution (RCE) vulnerabilities affecting its Endpoint Manager Mobile (EPMM) platform. Identified as CVE-2026-1281 and CVE-2026-1340, these vulnerabilities pose a significant risk to organizations utilizing EPMM, as they are reportedly under active exploitation in the wild.

The disclosure highlights the severe nature of these flaws. Pre-authentication RCE vulnerabilities allow an unauthenticated attacker to execute arbitrary code on a vulnerable system without needing to log in or possess any prior credentials. This means that a malicious actor could potentially gain full control over an affected EPMM instance, leading to severe consequences for the compromised system and the broader network it manages.

Understanding the Threat: CVE-2026-1281 and CVE-2026-1340

Specifically, CVE-2026-1281 and CVE-2026-1340 impact Ivanti EPMM versions. The ability for attackers to achieve remote code execution without authentication grants them a direct pathway to compromise. Such access can lead to unauthorized data access, modification, or deletion, installation of further malware, or lateral movement within an organization’s network infrastructure. The active exploitation observed underscores the immediate need for organizations to address these vulnerabilities.

Ivanti’s EPMM platform is widely used for managing mobile devices and applications, making these vulnerabilities particularly concerning due to the potential ripple effect across an organization’s mobile endpoint ecosystem. A compromise of EPMM could expose sensitive corporate data, disrupt operations, and provide a gateway to other internal systems. This type of threat vector demands rapid response from security teams.

Immediate Action Required: Patching and Mitigation

In response to the active exploitation, Ivanti has provided patches and strongly urged all customers to apply them immediately. Organizations running vulnerable versions of Ivanti EPMM must prioritize these updates to protect their environments. Delaying the application of these security patches significantly increases the risk of a successful attack and subsequent compromise.

• Review your Ivanti EPMM deployment to identify the installed version.
• Apply the official security updates provided by Ivanti for CVE-2026-1281 and CVE-2026-1340 without delay.
• Monitor EPMM instances and related network traffic for any signs of suspicious activity following the disclosure.
• Ensure robust logging is enabled for EPMM systems to aid in detection and forensic analysis should an incident occur.

This situation serves as a critical reminder of the ongoing need for diligent patch management and continuous vigilance against emerging threats. Organizations are advised to consult Ivanti’s official security advisories for the most accurate and up-to-date information regarding these vulnerabilities and their resolution.