Urgent Alert: Ivanti Endpoint Manager 0-Day RCE Vulnerabilities Under Active Attack

Organizations worldwide face a critical new threat as Ivanti Endpoint Manager Mobile (EPMM) platforms are being actively targeted by attackers exploiting two newly disclosed 0-day remote code execution (RCE) vulnerabilities. These critical code-injection flaws, identified as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to execute arbitrary code with maximum privileges on vulnerable systems. With a CVSS severity score of 9.8, the immediate risk of compromise is exceptionally high.

Endpoint Manager Mobile (formerly MobileIron Core) is a widely deployed solution for managing and securing mobile devices and applications within enterprise environments. The compromise of such a pervasive system could grant attackers deep access to corporate networks, sensitive data, and critical infrastructure. Understanding the nature of these vulnerabilities and acting swiftly is paramount for IT and security teams.

Understanding the Threat: CVE-2026-1281 and CVE-2026-1340

Both CVE-2026-1281 and CVE-2026-1340 are critical code-injection vulnerabilities affecting Ivanti EPMM. While specific technical details regarding the injection vectors are typically withheld during active exploitation to prevent further attacks, the key concern is their classification as “0-day” flaws—meaning no patches were available when they were first discovered to be exploited in the wild.

• Unauthenticated Access: Attackers do not need any credentials to exploit these vulnerabilities, making them trivial for widespread scanning and compromise.
• Remote Code Execution (RCE): Successful exploitation allows an attacker to execute arbitrary commands on the affected server. This can lead to full system compromise, data exfiltration, deployment of ransomware, or the establishment of persistent backdoors.
• High CVSS Score (9.8): The Common Vulnerability Scoring System (CVSS) score of 9.8 reflects the maximum possible severity, indicating that these vulnerabilities are easily exploitable, require no user interaction, pose a complete loss of confidentiality, integrity, and availability, and have no workarounds specified at disclosure.
• Active Exploitation: The most alarming aspect is that these are not theoretical vulnerabilities but are already being utilized by threat actors in real-world attacks, significantly elevating the urgency for immediate action.

Affected Ivanti EPMM Versions

Organizations should be aware that multiple versions of Ivanti EPMM are affected. While the official advisory is expected to provide a definitive list, preliminary information suggests that a broad range of implementations could be at risk. It is crucial to consult Ivanti’s official security advisories for the precise scope of affected EPMM versions as soon as they become available.

Remediation Actions

Given the active exploitation and critical nature of these Ivanti EPMM vulnerabilities, immediate and decisive action is essential. Do not delay in implementing these steps:

1. Monitor Official Ivanti Advisories: Regularly check Ivanti’s official security and product support channels for the latest information, including definitive lists of affected versions, patches, and workarounds. Prioritize any recommended emergency patches.
2. Isolate and Segment EPMM Instances: If immediate patching is not possible, consider temporarily isolating your Ivanti EPMM instances from the broader network. Implement strict network segmentation and firewall rules to limit external access to only essential ports and trusted IP addresses.
3. Review Logs for Compromise: Scrutinize Ivanti EPMM logs, network traffic logs, and endpoint detection and response (EDR) alerts for any signs of unusual activity, unauthorized access attempts, or indicators of compromise (IoCs) related to these vulnerabilities. Look for process execution anomalies, unexpected outbound connections, or suspicious file modifications.
4. Implement Multi-Factor Authentication (MFA): Ensure MFA is enforced for all administrative access to Ivanti EPMM and any connected systems. While this won’t prevent RCE, it can limit lateral movement post-compromise.
5. Perform Backup and Recovery Checks: Verify that your backup and disaster recovery procedures for your EPMM environment are up-to-date and functional. This is critical in the event of a successful attack.
6. Consider Temporary Disablement or Migration (Extreme Cases): For organizations unable to patch or secure their EPMM environments immediately and facing high-risk profiles, temporarily disabling or migrating away from vulnerable systems until a secure solution is in place might be a severe but necessary last resort.

Tools for Detection and Mitigation

While direct patching is the primary solution, various cybersecurity tools can aid in monitoring, detection, and mitigation strategies around such critical vulnerabilities.

Tool Name	Purpose	Link
Network Intrusion Detection/Prevention Systems (NIDS/NIPS)	Detect and block malicious network traffic patterns indicative of exploitation attempts or post-exploitation activities. Configure rules based on IoCs.	Snort / Suricata
Security Information and Event Management (SIEM)	Centralized logging and analysis, correlating events from various sources to detect anomalies and potential compromises on Ivanti EPMM and adjacent systems.	Leading commercial SIEM solutions (e.g., Splunk, IBM QRadar)
Endpoint Detection and Response (EDR)	Monitor Ivanti EPMM server endpoints for suspicious process execution, file changes, and network connections that might indicate compromise.	Leading commercial EDR solutions (e.g., CrowdStrike, SentinelOne)
Web Application Firewalls (WAF)	Can provide a layer of protection against web-based code injection attacks by inspecting and filtering HTTP traffic to the EPMM interface.	Cloud-based or appliance-based WAFs (e.g., Cloudflare, Imperva)

Conclusion

The active exploitation of CVE-2026-1281 and in Ivanti Endpoint Manager Mobile represents a severe threat to organizations leveraging the platform. The ability for unauthenticated attackers to achieve RCE with a perfect CVSS score of 9.8 demands immediate attention from all security and IT teams. Proactive monitoring, rapid application of patches as they become available, and diligent review of systems for signs of compromise are essential steps in mitigating this critical risk and securing enterprise mobile environments.