Ivanti has disclosed two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that were exploited in zero-day attacks.

The flaws are code-injection vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable devices without authentication. Both vulnerabilities have a CVSS score of 9.8 and are rated as critical.

“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” warns Ivanti.

Ivanti has released RPM scripts to mitigate the vulnerabilities for affected EPMM versions:

• Use RPM 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x
• Use RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0

The company says there is no downtime required to apply the patches and that there is no functional impact, so it is strongly advised to apply them as soon as possible.

However, the company does warn that the hotfixes do not survive a version upgrade and must be reapplied if the appliance is upgraded before a permanent fix is available.

The vulnerabilities will be permanently fixed in EPMM version 12.8.0.0, which will be released later in Q1 2026.

Ivanti says successful exploitation allows attackers to execute arbitrary code on the EPMM appliance, allowing attackers access to a wide range of information stored on the platform.

This information includes administrator and user names, usernames, and email addresses, as well as information about managed mobile devices such as phone numbers, IP addresses, installed applications, and device identifiers like IMEI and MAC addresses.

If location tracking is enabled, attackers could also access device location data, including GPS coordinates and locations of nearest cell towers.

Ivanti warns that attackers could also use the EPMM API or web console to make configuration changes to devices, including authentication settings.

Actively exploited zero-days

Ivanti’s advisories state that both vulnerabilities were exploited as zero-days, but the company does not have reliable indicators of compromise (IOC) due to the small number of known impacted customers.

However, the company has published technical guidance on detecting exploitation and post-exploitation behavior that admins can use.

Ivanti says both vulnerabilities are triggered through the In-House Application Distribution and Android File Transfer Configuration features, with attempted or successful exploitation appearing in the Apache access log at /var/log/httpd/https-access_log.

To help defenders identify suspicious activity, Ivanti provided a regular expression that can be used to look for exploitation activity in the access logs:

^(?!127.0.0.1:d+ .*$).*?/mifs/c/(aft|app)store/fob/.*?404

The expression will list log entries that match external requests (not localhost traffic) targeting vulnerable endpoints that return 404 HTTP response codes.

According to Ivanti, legitimate requests to these endpoints typically return an HTTP 200 response. Exploitation attempts, whether successful or attempted, return 404 errors, making these entries a strong indicator that a device has been targeted.

However, Ivanti warns that once a device is compromised, attackers can modify or delete logs to hide their activity. If off-device logs are available, those should be reviewed instead.

If a device is suspected of being compromised, Ivanti does not recommend that admins clean the system.

Instead, customers should restore EPMM from a known-good backup taken before exploitation occurred or rebuild the appliance and migrate data to a replacement system.

After restoring systems, Ivanity suggests performing these actions:

• Reset the password of any local EPMM accounts. 
• Reset the password for the LDAP and/or KDC service accounts that perform lookups. https://help.ivanti.com/mi/help/en_us/core/11.x/gsg/CoreGettingStarted/Configuring_LDAP_servers.htm 
• Revoke and replace the public certificate used for your EPMM. 
• Reset the password for any other internal or external service accounts configured with the EPMM solution. 

While the vulnerabilities affect only Ivanti Endpoint Manager Mobile (EPMM), the company recommends reviewing Sentry logs as well.

“While EPMM can be restricted to a DMZ with little to no access to the rest of a corporate network, Sentry is specifically intended to tunnel specific types of traffic from mobile devices to internal network assets,” reads Ivanti’s analysis guidance for CVE-2026-1281 & CVE-2026-1340.

“If you suspect that your EPMM appliance is impacted, we recommend you review the systems that Sentry can access for potential recon or lateral movement.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited.

Federal civilian agencies have been given until February 1, 2026, to apply vendor mitigations or discontinue use of vulnerable systems under Binding Operational Directive 22-01.

It is unclear why CISA did not add both vulnerabilities to the KEV, and BleepingComputer contacted Ivanti to confirm that both were exploited.

In September, CISA published an analysis of malware kits deployed in attacks exploiting two other Ivanti Endpoint Manager Mobile (EPMM) zero-days. Those flaws were fixed in May 2025, but were previously exploited in zero-day attacks as well.