Two critical code-injection vulnerabilities have been disclosed in the Endpoint Manager Mobile (EPMM) platform, which are currently being actively exploited in real-world attacks.
The security flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to execute arbitrary code remotely on vulnerable systems.
The vulnerabilities carry a maximum CVSS severity score of 9.8 and affect multiple versions of EPMM, including 12.5.0.0, 12.6.0.0, and 12.7.0.0.
According to Ivanti’s security advisory published on January 29, 2026, the company is aware of a limited number of customer environments that have already been compromised at the time of disclosure.
Active Exploitation Confirmed
Both vulnerabilities stem from code-injection weaknesses (CWE-94) that can be exploited without authentication or user interaction.
The attack vector is network-based and low-complexity, enabling threat actors to compromise vulnerable EPMM instances remotely with minimal effort.
Successful exploitation grants attackers complete control over the confidentiality, integrity, and availability of affected systems.
CVE NumberDescriptionCVSS ScoreCVSS VectorCWECVE-2026-1281Code injection enabling unauthenticated RCE9.8 (Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE-94CVE-2026-1340Code injection enabling unauthenticated RCE9.8 (Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE-94
Ivanti has released version-specific RPM patches to address the security flaws. At the same time, customers await the permanent fix scheduled for version 12.8.0.0 in Q1 2026.
The temporary patches require no system downtime and do not impact feature functionality. However, administrators must reapply the RPM script after version upgrades.
Organizations running EPMM should immediately apply the version-specific RPM patches available through Ivanti’s support portal.
Customers using versions 12.5.0.x through 12.7.0.x require RPM 12.x.0.x, while those on 12.5.1.0 or 12.6.1.0 should deploy RPM 12.x.1.x.
The company emphasizes that only one patch is needed based on the deployed version.
Ivanti recommends security-conscious organizations consider rebuilding EPMM environments and migrating data to replacement systems as the most conservative remediation approach.
The company has provided technical analysis documentation with forensic guidance, though reliable indicators of compromise remain unavailable as investigations continue.
Notably, other Ivanti products including Endpoint Manager (EPM), Neurons for MDM, and Sentry appliances are not affected by these vulnerabilities.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Ivanti Endpoint Manager 0-day RCE Vulnerabilities Actively Exploited in Attacks appeared first on Cyber Security News.
