Critical Ivanti EPMM vulnerabilities under active exploitation

Threat summary

On January 29, Ivanti released emergency updates for two critical-severity vulnerabilities in Endpoint Manager Mobile (EPMM), noting exploitation in the wild.

EPMM, formerly MobileIron Core, is a mobile device management platform used to manage, configure, and enforce security policies across enterprise mobile fleets. The platform provides centralized control over device enrollment, compliance, and application distribution.

Tracked as CVE-2026-1281 and CVE-2026-1340, the flaws are described as code injection issues that could be exploited by unauthenticated threat actors to achieve remote code execution (RCE). Both issues have a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.

Successful exploitation allows an attacker to run commands on the EPMM appliance with the privileges of an EPMM service account, enabling full code execution once the system is compromised.

Because EPMM stores information about managed devices, any data accessible through the MIFS portal, the MobileIron Front‑End Server interface should be considered exposed after a confirmed attack. A threat actor could also use the API or web console to alter EPMM configuration settings. Overall, the impact includes unauthenticated RCE, potential lateral movement, and access to sensitive data within the device management environment.

Ivanti reported limited exploitation as of January 29, 2026, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog. The threat actor has not been publicly attributed.

Affected versions include Ivanti Endpoint Manager Mobile:

• 12.5.0.0 and prior
• 12.6.0.0 and prior
• 12.7.0.0 and prior
• 12.5.1.0
• 12.6.1.0

Fixes were released through updated RPM packages on January 29, 2026.

Analysis & mitigation

Ivanti EPMM has a history of real‑world exploitation, as earlier vulnerabilities were actively abused by threat actors, underscoring that this product line is a recurring target and that new flaws are likely to attract rapid attacker interest.

The vulnerabilities are in the In‑House Application Distribution and the Android File Transfer Configuration components that handle core file and application workflows within EPMM. This enables a threat actor to reach functionality that processes inbound application packages and device-related file operations.

These features are directly exposed to device and administrator interactions rather than being peripheral or internal subsystems, which increases the impact when they are compromised.

Field Effect MDR users would be alerted via ARO if vulnerable systems are detected in their environment.

Ivanti recommends applying the updated RPM packages for all affected EPMM versions. Additional recommendations include restricting external access to EPMM management interfaces, increasing monitoring of unauthenticated requests to EPMM components, and reviewing system logs for recent activity. Network segmentation around mobile device management infrastructure reduces exposure while updates are applied.

Review all externally accessible EPMM instances, restrict network exposure where possible, and validate that no unauthorized changes or anomalous activity occurred prior to patching.

Organizations relying on Ivanti Endpoint Manager Mobile for device compliance enforcement may consider temporary compensating controls such as limiting administrative actions until patching is complete.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up