What's Happening?
Ivanti has revealed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) software, identified as CVE-2026-1281 and CVE-2026-1340. These vulnerabilities, which have a CVSS score of 9.8, allow
remote attackers to execute arbitrary code on affected devices without authentication. The company has acknowledged that a limited number of customers have been impacted by these zero-day attacks. Ivanti has released RPM scripts to mitigate these vulnerabilities for specific EPMM versions, advising users to apply these patches immediately. The vulnerabilities will be permanently fixed in the upcoming EPMM version 12.8.0.0, expected later in Q1 2026. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by February 1, 2026.
Why It's Important?
The disclosure of these vulnerabilities is significant as it highlights the ongoing threat of zero-day attacks on critical infrastructure. The ability for attackers to execute arbitrary code on EPMM appliances poses a severe risk to data security, potentially exposing sensitive information such as user credentials and device identifiers. This situation underscores the importance of timely patch management and the need for organizations to remain vigilant against emerging cyber threats. The involvement of CISA indicates the potential national security implications, as federal agencies are required to address these vulnerabilities promptly. The incident also reflects broader challenges in cybersecurity, where rapid response and collaboration between private companies and government agencies are crucial to mitigating risks.
What's Next?
Ivanti plans to release a permanent fix for the vulnerabilities in EPMM version 12.8.0.0. In the meantime, organizations using EPMM are advised to apply the available patches and monitor for signs of exploitation. CISA's directive for federal agencies to address these vulnerabilities by early February 2026 suggests a coordinated effort to secure government systems. Organizations may need to review their cybersecurity strategies and consider additional measures such as off-device logging to detect and respond to potential breaches. The situation may also prompt further scrutiny of software supply chains and the security of mobile device management solutions.
