Ivanti Discloses Exploited Critical EPMM Flaws

Ivanti is warning of two critical-severity flaws in its Endpoint Manager Mobile (EPMM) product that are being exploited in the wild by threat actors.

On Thursday, the company released RPM scripts to mitigate the flaw in its EPMM mobile device management solution. The vulnerabilities (CVE-2026-1281 and CVE-2026-1340) could lead to unauthenticated remote code execution if successfully exploited.

“Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance,” according to Ivanti. “Aside from lateral movement to the connected environment, EPMM also contains sensitive information about devices managed by the appliance.”

That sensitive information could include details about the EPMM administrator (such as name, email address and account username), information about device users (account username, name, email address, and user principal name for Active Directory), and details about mobile devices (including phone number, GPS location, device identifier, location of nearest cell tower, and IMEI, among other things). 

Ivanti did not detail the exploitation of the vulnerabilities except to say: “we are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.”

Both flaws are rated 9.8 out of 10 on the CVSS scale and are tied to a code injection flaw in EPMM.

The following versions of EPMM are impacted: 12.5.0.0 and prior, 12.6.0.0 and prior, 12.7.0.0 and prior, 12.5.1.0 and prior, and 12.6.1.0 and prior.

Ivanti said that other products, like Sentry, Ivanti Endpoint Manager, and Ivanti Neurons for MDM, are not impacted. Customers should apply the mitigated versions, either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version. 

“The RPM script does not survive a version upgrade,” according to Ivanti. “If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0.”

Additionally, the company has provided a writeup with generic information about detecting attempted exploitation for the flaws based on threat actor toolkits that have targeted older vulnerabilities on EPMM – however, the company said that due to the small number of impacted customers it doesn’t have enough information to provide reliable indicators.

“In addition to rapidly and proactively providing a patch, Ivanti has mobilized additional resources and support teams to assist customers and is actively collaborating with security partners, the broader security community and law enforcement,” according to the advisory.