Ivanti has just dropped a bombshell, revealing two critical flaws in their Ivanti Endpoint Manager Mobile (EPMM) software. These vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, have already been exploited in zero-day attacks. But here's where it gets controversial: Ivanti claims that a limited number of customers have been affected, but with no reliable indicators of compromise, the full extent of the breach remains unknown.
The flaws are code-injection vulnerabilities, allowing remote attackers to execute arbitrary code on vulnerable devices without any authentication. This is a serious issue, as it grants attackers access to a wide range of sensitive information stored on the platform. From administrator and user names to email addresses and device identifiers, the potential for data theft is immense. And if location tracking is enabled, attackers could even access GPS coordinates and cell tower locations, raising serious privacy concerns.
Ivanti has released RPM scripts to mitigate these vulnerabilities for affected EPMM versions. The company assures us that applying these patches will have no downtime or functional impact, so it's strongly recommended to implement them immediately. However, there's a catch: the hotfixes are temporary and won't survive a version upgrade. If you're planning to upgrade your appliance before a permanent fix is available, you'll need to reapply the patches.
The permanent fix is expected to arrive with EPMM version 12.8.0.0, scheduled for release later in Q1 2026. Until then, Ivanti advises admins to be vigilant and monitor their systems for any suspicious activity. The company has provided a regular expression to help identify exploitation attempts in access logs, but they warn that compromised devices may have their logs modified or deleted by attackers.
If you suspect your device has been compromised, Ivanti recommends restoring EPMM from a known-good backup or rebuilding the appliance and migrating data to a replacement system. It's crucial to reset passwords and revoke any compromised certificates to ensure the security of your system.
While these vulnerabilities only affect Ivanti Endpoint Manager Mobile, the company also recommends reviewing Sentry logs, as it may provide a tunnel for attackers to access internal network assets.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, confirming the active exploitation of this flaw. Federal agencies have until February 1, 2026, to apply vendor mitigations or discontinue use of vulnerable systems. It's unclear why CISA didn't add both vulnerabilities to the KEV, but Ivanti has confirmed that both were exploited.
This news comes on the heels of CISA's analysis of malware kits deployed in attacks exploiting two other Ivanti EPMM zero-days, which were fixed in May 2025.
So, what can we learn from this? It's a stark reminder of the importance of staying vigilant and proactive in managing our digital security. With zero-day attacks on the rise, it's crucial to keep our software up-to-date and our defenses strong.
And this is the part most people miss: it's not just about patching vulnerabilities. It's about adopting a holistic approach to security, from regular backups to robust password management and beyond.
So, what do you think? Are we doing enough to protect ourselves from these emerging threats? Let's discuss in the comments and share our thoughts on how we can better secure our digital world.
