CVE-2026-1281 is a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager Mobile (EPMM). It stems from a code injection flaw in the productโs web services that allows an unauthenticated attacker to send crafted requests and execute arbitrary code on a vulnerable system without needing to log in.
CVE-2026-1340 is also a critical code injection/RCE vulnerability in the same Ivanti Endpoint Manager Mobile (EPMM) product. Like CVE-2026-1281, it allows a remote unauthenticated attacker to inject malicious input that leads to execution of arbitrary code on the affected system.
The versions affected were 12.7.x and earlier.
Both vulnerabilities rated CVSS 9.8 (Critical) were used in zero-day attacks.
These vulnerabilities were actively exploited in the wild and added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Ivanti has released RPM scripts to mitigate the vulnerabilities for affected EPMM versions:
- RPM 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x
- RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0
The vulnerabilities will be permanently fixed in EPMM version 12.8.0.0, which will be released later in Q1 2026.
See more details on: