Ivanti disclosed two critical vulnerabilities in Endpoint Manager Mobile (EPMM) on January 29, 2026, that attackers are chaining for unauthenticated remote code execution. CISA added both to the Known Exploited Vulnerabilities catalog the same day—with an unusually short 3-day remediation deadline.
Vulnerability overview
| CVE | CVSS | Type | Component |
|---|---|---|---|
| CVE-2026-1281 | 9.8 (Critical) | Code Injection | In-House Application Distribution |
| CVE-2026-1340 | 9.8 (Critical) | Code Injection | Android File Transfer Configuration |
Both vulnerabilities stem from insufficient input validation. According to WatchTowr’s technical analysis, the root cause is “almost hard to believe”: Ivanti was using Bash to process information directly from remote endpoints.
Improper handling of attacker-supplied parameters allows command injection, leading directly to RCE on the appliance without any authentication.
Vulnerable endpoints
| CVE | Feature | Vulnerable Endpoint |
|---|---|---|
| CVE-2026-1281 | In-House Application Distribution | /mifs/c/appstore/fob/ |
| CVE-2026-1340 | Android File Transfer Configuration | /mifs/c/aftstore/fob/ |
Attackers can provide Bash commands as part of malicious HTTP GET requests to these endpoints, resulting in arbitrary OS command execution on the target appliance.
Timeline
| Date | Event |
|---|---|
| Mid-January 2026 | Zero-day exploitation begins (estimated) |
| January 29, 2026 | Ivanti discloses vulnerabilities |
| January 29, 2026 | CISA adds CVE-2026-1281 to KEV catalog |
| January 30, 2026 | Public PoC exploit available on GitHub |
| January 30, 2026 | Shadowserver observes exploitation from 13+ source IPs |
| February 1, 2026 | CISA remediation deadline for federal agencies |
| Q1 2026 | Permanent fix expected in EPMM 12.8.0.0 |
Exploitation status
Active exploitation confirmed. Ivanti acknowledged exploitation occurred before disclosure.
| Metric | Value |
|---|---|
| Exploitation status | Active zero-day |
| Source IPs observed | 13+ (Shadowserver) |
| Time to public PoC | 48 hours post-disclosure |
| Post-exploitation activity | Webshells, reverse shells |
The Shadowserver Foundation observed a spike in exploitation attempts from at least 13 source IPs within 24 hours of disclosure. Attackers are installing webshells and establishing persistent reverse shells.
Exploitation evolution
WatchTowr researcher Ryan Dewhurst characterized the situation:
“This started as tightly scoped zero-day exploitation. It has since devolved into global mass exploitation by a wide mix of opportunistic actors.”
| Phase | Timeframe | Actor type |
|---|---|---|
| Pre-disclosure | Mid-January 2026 | Targeted (likely APT) |
| Disclosure day | January 29, 2026 | Sophisticated actors |
| PoC release | January 30, 2026 | Opportunistic actors join |
| Mass exploitation | January 31+, 2026 | Commodity attackers |
Internet exposure
Shadowserver scans show approximately 1,600 EPMM instances exposed to the internet, concentrated in:
| Sector | Exposure risk |
|---|---|
| Government agencies | High (slower patching cycles) |
| Healthcare organizations | High (critical MDM infrastructure) |
| Educational institutions | High (resource constraints) |
These sectors are particularly vulnerable due to slower patching cycles and the critical nature of mobile device management infrastructure.
What attackers gain
Successful exploitation provides full control of the EPMM appliance and access to:
| Data Type | Risk |
|---|---|
| Administrator credentials | Account takeover, lateral movement |
| User information | Names, usernames, email addresses |
| Device identifiers | IMEI, MAC addresses |
| Phone numbers and IP addresses | Device tracking |
| Installed applications | Attack surface mapping |
| GPS coordinates | Physical location tracking (if enabled) |
| Cell tower locations | Geolocation data |
Post-compromise capabilities
| Capability | Impact |
|---|---|
| API access | Make configuration changes to managed devices |
| Authentication settings | Modify device security policies |
| App deployment | Push malicious applications to managed fleet |
| Webshell persistence | Maintain access post-patch |
| Lateral movement | Pivot to other internal systems |
EPMM manages mobile device fleets—compromising it gives attackers visibility into an organization’s entire mobile infrastructure and the ability to weaponize it.
CISA response
CISA’s 3-day remediation deadline (February 1, 2026) for federal agencies signals exceptional severity:
“Organizations that are, as of disclosure, exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure, and instigate incident response processes.”
This is not a “patch and move on” situation. Assume compromise if your EPMM was internet-exposed before patching.
Federal guidance
| Requirement | Deadline |
|---|---|
| Apply vendor mitigations | February 1, 2026 |
| OR discontinue use of vulnerable systems | February 1, 2026 |
| Binding Operational Directive | BOD 22-01 |
Affected versions
| Status | Versions |
|---|---|
| Vulnerable | All EPMM versions before 12.5.0.1 |
| Vulnerable | Versions 12.5.x, 12.6.x, 12.7.x |
| Not affected | Ivanti Neurons for MDM (cloud-hosted) |
| Not affected | Ivanti Endpoint Manager (EPM) |
| Not affected | Ivanti Sentry |
| Not affected | Other Ivanti products |
Patching complications
Critical warning: The current fix is an RPM patch, not a full version update. This patch does not survive version upgrades. If you apply the patch and later update EPMM, your server becomes vulnerable again.
| Patch type | Limitation |
|---|---|
| RPM interim patch | Available now |
| Persistence | Does NOT survive version upgrades |
| Reapplication | Required after any EPMM update |
| Permanent fix | EPMM 12.8.0.0 (Q1 2026) |
Remediation
Immediate actions
| Priority | Action |
|---|---|
| Critical | Apply the RPM patch from Ivanti’s advisory immediately |
| Critical | Assume compromise if EPMM was internet-exposed before January 29 |
| Critical | Initiate incident response—hunt for webshells and reverse shells |
| High | Audit enrollment logs for unauthorized API calls going back to mid-January |
| High | Review all configuration changes made since mid-January |
Compromise indicators
| Indicator | Meaning |
|---|---|
| Webshells in EPMM web directories | Active compromise |
| Reverse shell connections from EPMM | Attacker access |
| Unauthorized device enrollments | Post-exploitation activity |
| Unexpected configuration changes | Attacker manipulation |
| New administrator accounts | Persistence mechanism |
| Unusual API calls to enrollment endpoints | Exploitation attempts |
Post-patch hardening
| Control | Purpose |
|---|---|
| Restrict network access | EPMM management interfaces should not be internet-accessible |
| Review device enrollments | Unexpected enrollments may indicate post-exploitation |
| Monitor for IoCs | Check for webshells, unauthorized accounts, persistence |
| Plan for 12.8.0.0 upgrade | Ensure patch isn’t lost during future updates |
| Network segmentation | Isolate MDM infrastructure |
Detection guidance
| Detection method | Target |
|---|---|
| Web directory monitoring | New/modified files in EPMM web roots |
| Network monitoring | Reverse shell connections from EPMM |
| API logging | Unauthorized enrollment or configuration calls |
| Process monitoring | Unusual child processes from EPMM services |
| File integrity monitoring | Changes to EPMM application files |
Log inspection
Ivanti recommends inspecting Apache access logs for exploitation evidence:
| Log location | /var/log/httpd/https-access_log |
|---|---|
| Suspicious pattern | Requests to /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/ |
| Exploitation indicator | HTTP 404 responses (expected: 200 for legitimate use) |
| Time range to review | Mid-January 2026 to present |
Network indicators
| Indicator | Meaning |
|---|---|
| Outbound connections from EPMM | Reverse shell or C2 |
| Unexpected DNS queries | Attacker infrastructure |
| Large data transfers | Exfiltration |
| Connections to known bad IPs | Compromised infrastructure |
Ivanti vulnerability history
Ivanti products have experienced a series of critical vulnerabilities over the past two years:
| Year | Product | CVE | Severity |
|---|---|---|---|
| 2024 | Connect Secure | CVE-2024-21887 | Critical |
| 2024 | Connect Secure | CVE-2024-21893 | Critical |
| 2025 | Multiple products | Various | Multiple |
| 2026 | EPMM | CVE-2026-1281 | Critical (9.8) |
| 2026 | EPMM | CVE-2026-1340 | Critical (9.8) |
Recommendations
For affected organizations
| Priority | Action |
|---|---|
| Critical | Patch immediately—do not wait |
| Critical | If internet-exposed, assume compromise |
| Critical | Initiate incident response procedures |
| High | Remove EPMM from internet exposure |
| High | Audit for signs of compromise |
| Ongoing | Track Ivanti security advisories |
For security teams
| Priority | Action |
|---|---|
| Critical | Inventory all Ivanti EPMM deployments |
| High | Verify patch application and persistence |
| High | Hunt for webshells and reverse shells |
| High | Review MDM configuration integrity |
| Medium | Evaluate MDM architecture and exposure |
| Ongoing | Monitor for exploitation indicators |
Expert assessment
“CVE-2026-1281 and CVE-2026-1340 – unauthenticated RCE vulnerabilities within Ivanti’s Endpoint Manager Mobile (EPMM) – represent the worst of the worst, with threat actors actively compromising systems and deploying backdoors.”
Context
Organizations running Ivanti products should maintain heightened vigilance and consider whether the security posture of these products aligns with their risk tolerance. When Ivanti discloses vulnerabilities, the window between disclosure and exploitation is measured in hours, not days.
The use of Bash to process untrusted input from remote endpoints represents a fundamental architectural flaw. Organizations should factor Ivanti’s security track record into procurement and architecture decisions, particularly for internet-facing infrastructure.
Treat any internet-exposed EPMM instance as compromised until forensically verified otherwise.
Historical Ivanti EPMM zero-days
| Year | CVE(s) | Exploitation |
|---|---|---|
| 2023 | CVE-2023-35078 | Zero-day exploitation |
| 2025 | CVE-2025-4427 + CVE-2025-4428 | Chained zero-day exploitation |
| 2026 | CVE-2026-1281 + CVE-2026-1340 | Zero-day exploitation |
The pattern of repeated EPMM zero-days suggests architectural issues that Ivanti has not fully addressed. Organizations should factor this history into risk assessments for internet-exposed Ivanti infrastructure.