Ivanti has released security updates for Endpoint Manager Mobile (EPMM) addressing two critical-severity vulnerabilities.
Successful exploitation allows unauthenticated remote code execution. Active exploitation has been confirmed in the wild, both worldwide and in Luxembourg.
CIRCL strongly recommends immediately initiating a full incident response procedure for all Ivanti EPMM instances, including compromise assessment and log review.
As EPMM is a mobile endpoint management solution, a compromise of the EPMM server can result in severe impact, including full control over managed devices, lateral movements and access to sensitive data.
Affected Version
| Product Name | Affected Version(s) | Affected CPE(s) | Resolved Version(s) | Patch Availability |
|---|---|---|---|---|
| Ivanti Endpoint Manager Mobile | 12.5.0.0 and prior 12.6.0.0 and prior 12.7.0.0 and prior | cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0 | RPM 12.x.0.x | https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm |
| Ivanti Endpoint Manager Mobile | 12.5.1.0 and prior 12.6.1.0 and prior | cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.1.0 cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.1.0 | RPM 12.x.1.x | https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm |
Previous version under EoL might be also affected by the vulnerability.
Network Indicator
Detection and Forensic
Ivanti published a detection script Exploitation Detection RPM package. We strongly recommend to do further detection and analysis beside the scripts provided by Ivanti.
References
- Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340)
- Analysis Guidance Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1281 & CVE-2026-1340
- CVE-2026-1281
- CVE-2026-1340
Classification of this document
TLP:CLEAR information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.0 - TLP:CLEAR - First version - 9th February 2025