Critical Ivanti EPMM Vulnerabilities Under Active Exploitation

Critical Ivanti EPMM Vulnerabilities Under Active Exploitation

First seen 30 Jan 2026, 02:44 UTC CybersecuritynewsBleepingcomputerDbugs.PtsecurityHelpnetsecurityThehackernews+57 83% similarity 72.8

Article Content

Browse articles
ThreatCluster

Two critical vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, have been actively exploited in the wild, allowing unauthenticated remote code execution (RCE) with a CVSS score of 9.8. These vulnerabilities were disclosed on January 29, 2026, and have since been added to CISA's Known Exploited Vulnerabilities catalog. Exploitation has been observed across various sectors, including government and healthcare, with attackers leveraging these flaws to gain unauthorized access to sensitive device management data. The vulnerabilities stem from code injection issues in the In-House Application Distribution and Android File Transfer Configuration features of EPMM. Ivanti has released emergency patches and advised organizations to apply them immediately to mitigate risks. However, the patches do not survive version upgrades, necessitating ongoing vigilance. The attack vector has been linked to a broader trend of rapid exploitation following vulnerability disclosures, raising concerns about the security of mobile device management systems.

Key Points: • CVE-2026-1281 and CVE-2026-1340 allow unauthenticated RCE with a CVSS score of 9.8. • Exploitation has been confirmed across various sectors, including government and healthcare. • Ivanti has released emergency patches, but they do not persist through version upgrades.

ThreatCluster AI

Timeline

2017-03-07
First public exploit for CVE-2017-5638 released
2023-07-25
CVE-2023-35078 published
2023-07-31
CVE-2023-35081 added to CISA KEV (active exploitation)
2024-12-10
CVE-2024-11639 published
2025-01-08
CVE-2025-0282 published
2025-01-14
CVE-2024-13159 published
2025-01-14
CVE-2024-13160 published
2025-01-14
CVE-2024-13161 published
2025-01-14
CVE-2024-55591 published
2025-03-18
CVE-2025-24799 published

Community

Browse all →