Full Report
Multiple vulnerabilities have been discovered in Ivanti Endpoint Manager Mobile which could allow for remote code execution. Ivanti Endpoint Manager Mobile is a mobile management software engine that enables IT to set policies for mobile devices, applications and content. Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; make configuration changes on devices; or create new accounts with full user rights.
Analysis Summary
# Vulnerability: Remote Code Execution in Ivanti Endpoint Manager Mobile (EPMM)
## CVE Details
- CVE ID: CVE-2026-1281, CVE-2026-1340
- CVSS Score: Not explicitly provided, but implied **High/Critical** due to RCE risk. Severity is listed as **MEDIUM** for affected entities (Government/Business).
- CWE: Not explicitly provided in the summary of the flaw itself, but related to Code Injection.
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions:
- EPMM version 12.5.1.0 and prior
- EPMM version 12.6.1.0 and prior
- EPMM version 12.5.0.0 and prior
- EPMM version 12.6.0.0 and prior
- EPMM version 12.7.0.0 and prior
- Configurations: Public-facing application context (Initial Access Tactic: Exploit Public-Facing Application).
## Vulnerability Description
Multiple vulnerabilities exist within Ivanti Endpoint Manager Mobile that allow for exploitation via **code injection**. Successful exploitation enables an unauthenticated attacker to achieve **Remote Code Execution (RCE)** in the context of the running user. This grants the attacker permissions to install programs, access/modify/delete data, make configuration changes, or create new user accounts with full user rights.
## Exploitation
- Status: Exploitation **observed in the wild** on a limited number of customers.
- Complexity: The attack vector is **Exploit Public-Facing Application** leading to unauthenticated RCE, typically implying **Low** exploit complexity for the initial access.
- Attack Vector: **Network** (Remote, Unauthenticated).
## Impact
- Confidentiality: High (Ability to view/change/delete data)
- Integrity: High (Ability to change data, make configuration changes, install programs)
- Availability: High (Potential for system disruption via configuration changes or data modification)
## Remediation
### Patches
- **Action Required:** Apply appropriate updates and/or hotfixes provided by Ivanti immediately after testing. (Refer to Ivanti advisory for specific fixed versions).
### Workarounds
- No specific vendor-provided workarounds were detailed in the provided text, but general guidance implies immediate patching is required. (M1051: Update Software).
## Detection
- **Indicators of Compromise (IOCs):** Not specifically listed, but logs related to suspicious network connections to EPMM or unexpected process executions/file modifications within the EPMM environment should be investigated.
- **Detection Methods and Tools:** Enable anti-exploitation features (e.g., DEP, WDEG, SIP/Gatekeeper) on enterprise assets. Utilize vulnerability scanning (authenticated and unauthenticated) quarterly or more frequently.
## References
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1281
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1340
- Ivanti Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US