In a security advisory published by Ivanti security advisory, the company said it released updates in January 2026 to address two critical code injection vulnerabilities in Ivanti Endpoint Manager Mobile that have been exploited in limited zero day attacks. One of the flaws was added to the CISA Known Exploited Vulnerabilities catalog.
KEY FACTS
- Incident Two critical code injection vulnerabilities CVE-2026-1281 and CVE-2026-1340
- Severity Both scored 9.8 on the CVSS scale
- Affected software EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior; EPMM 12.5.1.0 and 12.6.1.0 and prior are also affected
- Fixes RPM patch available and permanent remediation planned in EPMM 12.8.0.0 due in Q1 2026
- Regulatory action One vulnerability was added to the KEV catalog with a Federal deadline of February 1 2026
CVE-2026-1281 and CVE-2026-1340 are code injection flaws that allow unauthenticated remote code execution. The vulnerabilities affect the In-House Application Distribution and Android File Transfer Configuration features of the appliance.
Prior attacks against EPMM used web shells and reverse shells to establish persistence on compromised appliances. Successful exploitation can enable arbitrary code execution on the device and expose sensitive information about managed endpoints.
Administrators are advised to check the Apache access log at “/var/log/httpd/https-access_log” for requests to the /mifs/c/(aft|app)store/fob/ path that return 404 responses. Legitimate use of the affected capabilities returns 200 responses while attempted or successful exploitation is associated with 404 responses.
The RPM patch does not survive an appliance version upgrade and must be reapplied after upgrades. If compromise is detected restore the EPMM from a known good backup or build a new appliance and migrate data. After recovery reset local EPMM account passwords, reset LDAP and KDC service account credentials, revoke and replace the appliance public certificate and reset any other service account passwords used by the appliance.
WHY IT MATTERS
Critical unauthenticated remote code execution on a device management appliance can allow attackers to control the appliance, access managed device data and move laterally into connected networks. The KEV listing creates a federal remediation deadline that increases urgency for affected users.