Cybersecurity Blog | RedLegg

Security Bulletin: Unauthenticated Remote Code Execution in Ivanti Endpoint Manager Mobile (EPMM)

Written by RedLegg's Cyber Threat Intelligence Team | 1/30/26 7:26 PM

About:

CVE-2026-1281 and CVE-2026-1340 are critical unauthenticated remote code execution vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The flaws exist in request handling logic exposed over HTTP/HTTPS and allow remote attackers to execute arbitrary code on the EPMM appliance without valid credentials. CVE-2026-1281 is actively exploited in the wild and is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating a high risk of real-world attacks against vulnerable deployments.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Unauthenticated Remote Code Execution in Ivanti Endpoint Manager Mobile (EPMM)

 

CVSS Score: 9.8 (Critical, CVSS v3.1)
Identifier: CVE-2026-1281, CVE-2026-1340
Exploit or POC: CVE-2026-1281 is confirmed to be actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Update

Ivanti has released remediation guidance for CVE-2026-1281 and CVE-2026-1340. Interim RPM-based fixes are available for affected 12.5.x, 12.6.x, and 12.7.x release trains. Ivanti has stated that a permanent fix is included in version 12.8.0.0.
 
Official Ivanti security advisory and patch guidance:
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
 
Important operational notes from Ivanti and national advisories:
 
The interim RPM mitigation does not persist across version upgrades and must be reinstalled if the system is upgraded prior to 12.8.0.0.



Description:

CVE-2026-1281 and CVE-2026-1340 is a code injection vulnerability in Ivanti Endpoint Manager Mobile that allows an unauthenticated remote attacker to execute arbitrary code on the EPMM appliance. The flaw exists in request handling logic exposed over HTTP/HTTPS and can be triggered without valid credentials.

 

Mitigation Recommendation

Immediately apply Ivanti's interim RPM fix appropriate for your installed EPMM version, or upgrade directly to version 12.8.0.0 where available.
Treat remediation as urgent due to confirmed in-the-wild exploitation and KEV listing.
Restrict network access to EPMM management and service interfaces to trusted administrative IP ranges only and remove unnecessary internet exposure.

 


Note: Given the critical severity and confirmed exploitation of this vulnerability, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.

 
View full post