Ivanti releases emergency patches for two critical zero-day vulnerabilities in EPMM that enable unauthenticated remote code execution, with CISA mandating federal agencies to patch by February 1, 2026.
According to recent news, Ivanti has disclosed two critical security vulnerabilities in its Endpoint Manager Mobile (EPMM) platform that are exploited in zero-day attacks by threat actors. The critical flaws, including CVE-2026-1281 and CVE-2026-1340, allow cyberattackers to execute remote code on compromised systems.
Ivanti released emergency security patches on January 29, 2026, to manage two code injection vulnerabilities affecting its EPMM platform, both rated critical (9.8) on the CVSS scale. These vulnerabilities affect EPMM's In-House Application Distribution and Android File Transfer Configuration features, creating a big attack surface for organizations.
Ivanti has already confirmed breaches. At disclosure, a number of customers were compromised. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) instantly added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog and required federal agencies to apply fixes by February 1, 2026.
The affected versions include EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, 12.7.0.0 and earlier, as well as 12.5.1.0 and 12.6.1.0. Ivanti Neurons for MDM, Ivanti Endpoint Manager, and Ivanti Sentry cloud products are unaffected.
The consequences of successful exploitation are severe. Threat actors who gain remote code execution can access private information stored on EPMM platforms, such as administrator credentials, user email addresses, phone numbers, IP addresses, installed applications, and device identifiers such as IMEI and MAC addresses. If location tracking is enabled, GPS coordinates and cell tower data could also be compromised.
Mobile Device Management (MDM) platforms like EPMM are particularly attractive to threat actors because they serve as centralized control points for enterprise mobile fleets. Compromising an MDM platform provides attackers with a force multiplier - access to administrator credentials, device inventories, and configuration capabilities that can be weaponized to compromise hundreds or thousands of endpoints simultaneously.
Cyberattackers can leverage web shells to persist and move laterally in networks. And they can alter settings via API or console, turning EPMM into a command server.
This incident highlights Ivanti's troubled security history. Over the past few years, similar zero-day attacks on EPMM occurred in 2025 (CVE-2025-4427 and CVE-2025-4428) and 2023 (CVE-2023-35078 and CVE-2023-35082), with some attacks linked to Chinese state-sponsored groups. The recurring pattern highlights endpoint management platforms as high-value targets for sophisticated adversaries.
Apply patches: Install the appropriate RPM script for your EPMM version; there's no downtime or functional impact. Use RPM 12.x. 0. x for versions 12.5.0.x, 12.6.0.x, and 12.7.0.x, or RPM 12.x.1.x for versions 12.5.1.0 and 12.6.1.0.
Plan long-term fixes: The RPM patches are temporary; they must be reapplied after any upgrade. The permanent solution arrives with EPMM version 12.8.0.0, due for release later in Q1 2026. Prepare for it immediately.
Look for compromise indicators: Review Apache access logs at /var/log/httpd/https-access_log for suspicious 404 HTTP response codes related to /mifs/c/(aft|app)store/fob/ paths. Examine administrator accounts, authentication configurations, push applications, policies, and network settings for unauthorized changes.
Respond to confirmed breaches: If a compromise is detected, restore from a known-good backup or build a replacement EPMM appliance. Reset all local account passwords, LDAP service credentials, and public certificates. Change passwords for external service accounts configured with EPMM.
Implement defense-in-depth: Restrict EPMM to a DMZ with restricted access to the corporate network. Monitor systems that Sentry can access for reconnaissance or lateral movement activities. Regular security assessments and prompt patching remain crucial.
AI-powered automation transforms incident response by cutting MTTR by 45-55%, turning hours-long investigations into minutes through intelligent triage, automated root cause analysis, and self-healing remediation.
SIEM detects threats through log analysis while SOAR automates response—together they create a powerful defense that cuts incident response times from hours to minutes.
SOC automation transforms security operations by automating triage, investigation, and response—cutting manual work by 70% while reducing MTTR by 50%.