Full Report
Two Critical vulnerabilities in Ivanti’s popular mobile device management solution have been exploited in the wild in limited attacksBackgroundOn January 29, Ivanti released a security advisory to address two critical severity remote code execution (RCE) vulnerabilities in its Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, a mobile management software used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).CVEDescriptionCVSSv3CVE-2026-1281Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability9.8CVE-2026-1340Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability9.8AnalysisCVE-2026-1281 and CVE-2026-1340 are both code injection vulnerabilities in Ivanti’s EPMM. An unauthenticated attacker could exploit these vulnerabilities to gain remote code execution.Limited exploitation observedAccording to Ivanti, both CVE-2026-1281 and CVE-2026-1340 were exploited as zero-days affecting “a very limited number of customers.” Because its investigation is ongoing, Ivanti has not yet provided any indicators of compromise in relation to these attacks.Historical exploitation of Ivanti Endpoint Mobile ManagerIvanti products in general are a popular target for a variety of attackers. EPMM in particular has been targeted in the past, and the Tenable Research Special Operations (RSO) team has authored several blogs about these vulnerabilities. The following table outlines some of the notable EPMM vulnerabilities over the last six years:CVEDescriptionPublishedTenable BlogsCVE-2025-4428Ivanti Endpoint Manager Mobile Remote Code Execution VulnerabilityMay 2025CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code ExecutionCVE-2025-4427Ivanti Endpoint Manager Mobile Authentication Bypass VulnerabilityMay 2025CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code ExecutionCVE-2023-35082Ivanti Endpoint Manager Mobile Authentication Bypass VulnerabilityAugust 2025N/ACVE-2023-35081Ivanti Endpoint Manager Mobile Remote Arbitrary File Write VulnerabilityJuly 2025CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access VulnerabilityCVE-2023-35078Ivanti Endpoint Manager Mobile Authentication Bypass VulnerabilityJuly 2025CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access VulnerabilityCVE-2020-15505MobileIron Core & Connector Remote Code Execution VulnerabilityOctober 2020CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched VulnerabilitiesProof of conceptAt the time this blog was published on January 30, a public proof-of-concept (PoC) exploit was publicly available. We expect attackers will begin to leverage this PoC to conduct mass scanning and exploitation attempts against vulnerable devices.SolutionIvanti has released temporary updates that can be applied to address these vulnerabilities. According to the advisory, the RPMs supplied should be applied based on the installed version of EPMM. The RPMs will not survive a version upgrade, so if the version is updated, the RPM would need to be applied once again. However, the advisory further notes that an upcoming release, version 12.8.0.0, is expected to be released in Q1 2026., T and this version will include the permanent fix for these CVEs. Once version 12.8.0.0 is released and applied, the RPM scripts will no longer need to be applied.Affected VersionRPM Patch Version12.5.0.0 and priorRPM 12.x.0.x12.5.1.0 and priorRPM 12.x.1.x12.6.0.0 and priorRPM 12.x.0.x12.6.1.0 and priorRPM 12.x.1.x12.7.0.0 and priorRPM 12.x.0.xFor more information on the patches, we strongly recommend reviewing the guidance in the security advisory from Ivanti.Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-1281 and CVE-2026-1340 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Ivanti devices by using the following subscription: Get more informationIvanti Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340)Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Critical RCE in Ivanti Endpoint Manager Mobile (EPMM)
## CVE Details
- CVE ID: CVE-2026-1281
- CVSS Score: 9.8 (Critical)
- CWE: Code Injection (Implied by RCE description)
- CVE ID: CVE-2026-1340
- CVSS Score: 9.8 (Critical)
- CWE: Code Injection (Implied by RCE description)
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core.
- Versions: Specific vulnerable versions are detailed in the vendor advisory, covering versions up to 12.7.0.0 for current RPM patch guidance.
- Configurations: Affects the EPMM software running on customer environments.
## Vulnerability Description
CVE-2026-1281 and CVE-2026-1340 are both critical severity remote code execution (RCE) vulnerabilities present in Ivanti’s EPMM software. These are described as code injection flaws that allow an **unauthenticated attacker** to gain remote code execution on the affected system.
## Exploitation
- Status: Exploited in the wild (limited attacks confirmed as zero-days). PoC exploit available publicly as of January 30th.
- Complexity: Low (Implied by RCE from unauthenticated access and public PoC).
- Attack Vector: Network (Remote, Unauthenticated).
## Impact
- Confidentiality: High (Remote Code Execution likely leads to full compromise).
- Integrity: High (Remote Code Execution likely leads to full compromise).
- Availability: High (Remote Code Execution likely leads to full compromise).
## Remediation
### Patches
Temporary patches (RPMs) are available, applied based on the installed EPMM version:
| Affected Version | RPM Patch Version |
| :--- | :--- |
| 12.5.0.0 and prior | RPM 12.x.0.x |
| 12.5.1.0 and prior | RPM 12.x.1.x |
| 12.6.0.0 and prior | RPM 12.x.0.x |
| 12.6.1.0 and prior | RPM 12.x.1.x |
| 12.7.0.0 and prior | RPM 12.x.0.x |
**Permanent Fix:** Version 12.8.0.0 is expected to be released in Q1 2026 and will contain the permanent fix. Once version 12.8.0.0 is applied, the temporary RPM scripts will no longer be required.
### Workarounds
The requirement that RPM patches must be re-applied after any version upgrade serves as a crucial warning regarding persistence until the permanent fix (v12.8.0.0) is installed.
## Detection
- Indicators of Compromise (IOCs): No specific IOCs were provided in the summary at the time of publishing, as the investigation was ongoing.
- Detection methods and tools: Tenable plugin information is available on the individual CVE pages for CVE-2026-1281 and CVE-2026-1340. Customers are advised to use Tenable Attack Surface Management to identify public-facing Ivanti devices.
## References
- Vendor advisories: Ivanti Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340) (hxxps://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US)
- Relevant links - defanged: Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) (hxxps://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/)