Executive Summary

Ivanti has disclosed two critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, in its Endpoint Manager Mobile (EPMM) product, formerly known as MobileIron Core. Both vulnerabilities have a CVSS score of 9.8, reflecting their extreme severity. Crucially, Ivanti and Singapore's Cyber Security Agency (CSA) have confirmed that these flaws are being actively exploited in the wild as zero-day attacks. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code on the EPMM appliance. This provides a direct pathway to compromise the central management point for an organization's mobile devices, potentially exposing vast amounts of sensitive corporate and personal data. Organizations using affected versions of EPMM are strongly advised to apply the provided patches immediately.

Vulnerability Details

• CVE-2026-1281: A critical vulnerability that allows an unauthenticated remote attacker to execute arbitrary code. (CVSS 9.8)
• CVE-2026-1340: A second critical vulnerability, also enabling unauthenticated remote code execution. (CVSS 9.8)

The technical specifics of the vulnerabilities have not been fully disclosed by Ivanti to prevent wider exploitation. However, their nature as unauthenticated RCE flaws means an attacker does not need any credentials or prior access to the target system. They can be exploited over the network, likely by sending a specially crafted request to an exposed API endpoint on the EPMM server. This type of vulnerability is highly sought after by threat actors as it provides a direct and often easy path to initial access.

Affected Systems

The vulnerabilities impact the following versions of Ivanti Endpoint Manager Mobile (EPMM):

• 12.5.0.x
• 12.6.0.x
• 12.7.0.x
• 12.5.1.0 (Specific build)
• 12.6.1.0 (Specific build)

Organizations running any of these versions on their appliances are considered vulnerable and should take immediate action.

Exploitation Status

Both vulnerabilities are confirmed to be under active exploitation in the wild. This has been corroborated by both Ivanti and the Cyber Security Agency of Singapore. The designation of these flaws as zero-days indicates that attackers were exploiting them before patches were available. This elevates the urgency for patching to the highest level, as active, weaponized exploits are already in circulation. The exploitation likely falls under T1190 - Exploit Public-Facing Application.

Impact Assessment

The impact of exploiting these vulnerabilities is severe. An EPMM server is a highly privileged asset within an organization's infrastructure, as it manages, secures, and inventories the entire fleet of mobile devices (smartphones and tablets).

• Complete System Compromise: An attacker can gain full control over the EPMM appliance, allowing them to execute code as the root or SYSTEM user.
• Sensitive Data Exposure: EPMM servers store a wealth of sensitive information, including user credentials, device details, PII, corporate Wi-Fi configurations, and certificates. Attackers can exfiltrate this data for extortion or to facilitate further attacks.
• Mobile Device Takeover: From the compromised EPMM server, an attacker could potentially push malicious applications, change security policies, or wipe corporate data from all enrolled mobile devices, causing massive disruption.
• Lateral Movement: The EPMM appliance can serve as a powerful pivot point into the broader corporate network. Attackers can use the compromised server to scan for other vulnerable systems and expand their foothold.

Cyber Observables for Detection

While specific IOCs are not public, defenders should hunt for signs of exploitation on their EPMM appliances:

Detection & Response

Given the active exploitation, rapid detection is critical.

1. Log Analysis: Immediately review web server access logs on all EPMM appliances for any suspicious requests, particularly those resulting in 4xx or 5xx error codes that could indicate failed exploit attempts, or 200 OK responses for unexpected endpoints. Look for requests from untrusted IP addresses.
2. Endpoint Detection and Response (EDR): If an EDR agent is deployed on the appliance, query for anomalous process execution chains. The core Java process for EPMM should not be spawning shells or network reconnaissance tools.
3. Network Monitoring: Use network traffic analysis to identify any unusual outbound connections from the EPMM server. A compromised server will often 'call home' to an attacker-controlled C2 server.
4. D3FEND Techniques: Employ Network Traffic Analysis (D3-NTA) to baseline normal traffic patterns from the EPMM appliance and alert on deviations. Use Process Analysis (D3-PA) to monitor for suspicious child processes spawned by the EPMM application services.

If a compromise is suspected, isolate the appliance from the network immediately and initiate incident response procedures.

Remediation Steps

Immediate patching is the only effective remediation.

1. Apply Patches: Download and apply the appropriate RPM script patches provided by Ivanti for your specific version branch. This is the highest priority action.

   Important: Ivanti has noted that these are temporary hotfixes. They must be reapplied if the appliance is upgraded to a new minor version before the permanent fix is released.

2. Restrict Access: As a compensating control, ensure the EPMM management interface is not exposed to the public internet. Access should be restricted to a limited set of trusted IP addresses, such as internal administrative networks or a secure VPN.
3. Future Updates: Plan to upgrade to EPMM version 12.8.0.0 as soon as it is released, as this will contain the permanent fix for these vulnerabilities.
4. Verification: After applying the patch, monitor logs to ensure the appliance is stable and that signs of attempted exploitation cease.
5. D3FEND Countermeasures: This event underscores the importance of Software Update (D3-SU) as a fundamental defensive measure.