Ivanti has released emergency security updates after confirming that 2 serious vulnerabilities in Ivanti Endpoint Manager Mobile are being actively exploited in zero day attacks. One of the flaws has also been added to a government maintained list of known exploited vulnerabilities, increasing the urgency for organisations to apply fixes.
The vulnerabilities are tracked as CVE 2026 1281 and CVE 2026 1340, both rated with a CVSS score of 9.8. These issues allow unauthenticated remote code execution through code injection. The affected versions include EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, and 12.7.0.0 and earlier, which are fixed using RPM 12.x.0.x. Versions 12.5.1.0 and earlier and 12.6.1.0 and earlier are fixed using RPM 12.x.1.x. Ivanti noted that RPM patches do not survive version upgrades and must be reapplied. A permanent fix will arrive with EPMM version 12.8.0.0, expected later in Q1 2026.
Ivanti said it is aware of a very limited number of customers impacted at the time of disclosure. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company said, adding that it does not yet have enough insight into attacker behaviour to provide “reliable atomic indicators.” The company confirmed the flaws affect the In House Application Distribution and Android File Transfer Configuration features and do not impact other products such as Ivanti Neurons for MDM, Ivanti Endpoint Manager, or Ivanti Sentry.
Ivanti warned that successful exploitation allows arbitrary code execution and could expose sensitive device data. Past attacks have shown persistence methods such as web shells and reverse shells. Customers are advised to review Apache access logs, administrator accounts, authentication settings, pushed applications, policies, and network configurations for signs of compromise. If an attack is detected, Ivanti recommends restoring from a known good backup or rebuilding the appliance, followed by password resets and certificate replacement. The development has led CISA to add CVE 2026 1281 to its catalog, requiring federal agencies to apply updates by February 1, 2026.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
