Ivanti Patches Critical Zero-Day RCE Flaws in EPMM

Ivanti released emergency patches for two zero-day actively exploited flaws in its Endpoint Manager Mobile (EPMM) software. CISA already added one of these flaws to its list of known exploited vulnerabilities, confirming active exploitation.

Vulnerabilities summary:

• CVE-2026-1281 (CVSS score 9.8) - A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
• CVE-2026-1340 (CVSS score 9.8) - A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Affected versions are:

• Ivanti Endpoint Manager Mobile, 12.5.0.0 and prior, 12.6.0.0 and prior and 12.7.0.0 and prior
• Ivanti Endpoint Manager Mobile 12.5.1.0 and prior, 12.6.1.0 and prior
   

Customers should apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version. 

• RPM_12.x.0.x Applicable versions: 12.5.0.x, 12.6.0.x and 12.7.0.x
• RPM_12.x.1.x Applicable Versions: 12.5.1.0 and 12.6.1.0 

These patches are temporary and will not be applied after a software version upgrade. If the users perform an upgrade, they have to re-apply the patch

A permanent fix will be included in version 12.8.0.0, which Ivanti plans to release in early 2026. 

Security teams can review current attacks via Apache logs at /var/log/httpd/https-access_log for 404 errors on specific paths. If you find signs of a breach, you must rebuild the server from a clean backup. You also need to reset passwords for all local accounts, LDAP services, and KDC accounts. Ivanti also recommends replacing all public certificates used by the system.