Ivanti Patches Actively Exploited Zero-Day in EPMM as CISA Flags Unauthenticated RCE Risk

Ivanti has issued urgent security updates for two previously unknown vulnerabilities affecting its Endpoint Manager Mobile platform, following reports of active exploitation in the wild. One of the flaws, tracked as CVE-2026-1281, has been added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, signalling confirmed attacker activity and elevated risk for exposed organisations.

The vulnerabilities impact Ivanti Endpoint Manager Mobile, commonly deployed by enterprises to manage and secure mobile devices, applications, and configurations across large environments. Given the platform’s role in enforcing device trust and access controls, successful exploitation carries potentially severe consequences.

Details of the Vulnerabilities

The most serious issue, CVE-2026-1281, is an unauthenticated code injection vulnerability that allows remote attackers to execute arbitrary code without valid credentials. This places the flaw in the highest risk category, particularly for internet-facing EPMM instances.

The second flaw, CVE-2026-1340, is also described as a code injection vulnerability. While Ivanti has not indicated active exploitation of this issue, it could still be chained with other weaknesses or abused in targeted scenarios if left unpatched.

Ivanti addressed both issues through security updates released in late January. The company has urged customers to apply patches immediately, stressing that no workaround fully mitigates the risk posed by CVE-2026-1281.

Active Exploitation and KEV Listing

The inclusion of CVE-2026-1281 in CISA’s Known Exploited Vulnerabilities catalog confirms that attackers are already leveraging the flaw. KEV listings are reserved for vulnerabilities that pose a clear and present danger to organisations, based on evidence of real-world exploitation.

For US federal agencies, inclusion in the catalog triggers mandatory remediation timelines. For private sector organisations, it serves as a strong indicator that the vulnerability is likely being incorporated into scanning tools and exploit kits.

Why EPMM Is a High-Value Target

Endpoint Manager Mobile is often integrated with identity systems, certificate services, and access control mechanisms. A compromise at this layer can allow attackers to pivot deeper into enterprise networks or manipulate device trust relationships.

Security teams have increasingly observed threat actors targeting management and infrastructure platforms, viewing them as efficient entry points rather than pursuing individual endpoints. Unauthenticated remote code execution flaws dramatically reduce the effort required to gain initial access.

Ivanti’s Recent Security Track Record

This latest disclosure comes amid heightened scrutiny of enterprise management software security. Over the past two years, multiple vendors in this space have faced exploitation campaigns targeting zero-day flaws, often with rapid weaponisation by both criminal and espionage-linked actors.

Ivanti has acknowledged the severity of the issue and credited internal investigations and external reporting for identifying the vulnerabilities. The company has not publicly attributed the exploitation to any specific threat actor.

Guidance for Defenders

Ivanti customers are advised to patch affected EPMM deployments immediately and verify that no instances remain exposed to the internet unnecessarily. Security teams should also review logs for signs of anomalous activity, particularly command execution or unexpected configuration changes.

Given the unauthenticated nature of CVE-2026-1281, defenders are encouraged to assume exploitation is possible even in environments with strong credential hygiene. Network segmentation, access restrictions, and continuous monitoring remain critical controls as attackers continue to focus on management infrastructure.

The incident reinforces a broader trend: tools designed to secure endpoints are themselves becoming prime targets, and vulnerabilities in these platforms can rapidly escalate from patch notes to active threat campaigns.