CyberSecurity News

Critical Ivanti Endpoint Manager 0-Day RCE Vulnerabilities Actively

Two critical code-injection vulnerabilities impacting the Endpoint Manager Mobile (EPMM) platform have been disclosed. These flaws are currently under active exploitation in real-world attacks. The...

Sarah simpson
Sarah simpson
January 30, 2026 2 Min Read
2 0

Two critical code-injection vulnerabilities impacting the Endpoint Manager Mobile (EPMM) platform have been disclosed. These flaws are currently under active exploitation in real-world attacks.

The security flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to execute arbitrary code remotely on vulnerable systems.

The vulnerabilities carry a maximum CVSS severity score of 9.8 and affect multiple versions of EPMM, including 12.5.0.0, 12.6.0.0, and 12.7.0.0.

According to Ivanti’s security advisory published on January 29, 2026, the company is aware of a limited number of customer environments that have already been compromised at the time of disclosure.

Active Exploitation Confirmed

Both vulnerabilities stem from code-injection weaknesses (CWE-94) that can be exploited without authentication or user interaction.

The attack vector is network-based and low-complexity, enabling threat actors to compromise vulnerable EPMM instances remotely with minimal effort.

Successful exploitation grants attackers complete control over the confidentiality, integrity, and availability of affected systems.

CVE Number Description CVSS Score CVSS Vector CWE
CVE-2026-1281 Code injection enabling unauthenticated RCE 9.8 (Critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE-94
CVE-2026-1340 Code injection enabling unauthenticated RCE 9.8 (Critical) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE-94

Ivanti has released version-specific RPM patches to address the security flaws. At the same time, customers await the permanent fix scheduled for version 12.8.0.0 in Q1 2026.

The temporary patches require no system downtime and do not impact feature functionality. However, administrators must reapply the RPM script after version upgrades.

Organizations running EPMM should immediately apply the version-specific RPM patches available through Ivanti’s support portal.

Customers using versions 12.5.0.x through 12.7.0.x require RPM 12.x.0.x, while those on 12.5.1.0 or 12.6.1.0 should deploy RPM 12.x.1.x.

The company emphasizes that only one patch is needed based on the deployed version.

Ivanti recommends security-conscious organizations consider rebuilding EPMM environments and migrating data to replacement systems as the most conservative remediation approach.

The company has provided technical analysis documentation with forensic guidance, though reliable indicators of compromise remain unavailable as investigations continue.

Notably, other Ivanti products including Endpoint Manager (EPM), Neurons for MDM, and Sentry appliances are not affected by these vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts