Overview
On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network.
While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281. The two critical vulnerabilities are summarized below.
⠀
CVE | CVSSv3 | CWE |
Improper Control of Generation of Code (CWE-94) | ||
Improper Control of Generation of Code (CWE-94) |
⠀
Both CVE-2026-1281 and CVE-2026-1340 are described identically by the vendor; they are code injection issues, allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Based on the vendor's guidance, the attackers can provide Bash commands as part of a malicious HTTP GET request to the endpoints that service either the “In-House Application Distribution” feature (i.e. /mifs/c/appstore/fob/) or the “Android File Transfer Configuration” feature (i.e. /mifs/c/aftstore/fob/), resulting in arbitrary OS command execution on the target.
As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant. An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information. This is in addition to the privileged position an attacker will have on the EPMM device itself, which may allow for lateral movement within the compromised network.
Given the nature of the product, EPMM is a high-profile target. It has been repeatedly targeted by zero-day vulnerabilities in the past. In 2023 the product was exploited in the wild via CVE-2023-35078, and again in 2025 via an exploit chain of CVE-2025-4427 and CVE-2025-4428. As of January 30, 2026, a public working proof-of-concept exploit for remote code execution is available. Organizations running EPMM are urged to act quickly and follow the vendor guidance to remediate these issues.
Threat hunting
The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:⠀
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404Mitigation guidance
A vendor supplied update is available to remediate both vulnerabilities.
The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.0.x patch:
-
Versions 12.7.0.0 and below
-
Versions 12.6.0.0 and below
-
Versions 12.5.0.0 and below
The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.1.x patch:
-
Versions 12.6.1.0 and below
-
Versions 12.5.1.0 and below
Customers are advised to update to the latest remediated version of EPMM, on an emergency basis outside of normal patching cycles, as exploitation in-the-wild is already occurring.
For the latest mitigation guidance for Ivanti EPMM, please refer to the vendor’s security advisory. In addition to remediation, the vendor has provided additional threat hunting guidance.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-1281 and CVE-2026-1340 with authenticated vulnerability checks expected to be available in today's (Jan 30) content release. Note that the "Potential" category must be enabled in the scan template to run the checks.
Updates
- January 30, 2026: Added reference to the watchTowr technical analysis and proof-of-concept exploit.
