Ddos 
Ivanti has issued an urgent security advisory confirming that attackers are actively exploiting critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution. The flaws, which allow unauthenticated remote code execution (RCE), place mobile device management infrastructure at immediate risk of full compromise.
The advisory reveals that Ivanti is “aware of a very limited number of customers whose solution has been exploited at the time of disclosure”. This acknowledgment confirms that the vulnerabilities are not just theoretical risks but active weapons in the hands of threat actors.
The security update addresses two specific critical vulnerabilities, both carrying the maximum CVSS score of 9.8.
- CVE-2026-1281: Described as “A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution”.
- CVE-2026-1340: Similarly identified as “A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution”.
The “unauthenticated” nature of these flaws is particularly dangerous, meaning an attacker needs no credentials or internal access to launch an attack. They simply need to reach the vulnerable server on the network.
While the exploitation is currently limited, the potential impact is severe. EPMM (formerly MobileIron Core) is often the central nervous system for managing corporate mobile devices. Compromise here could allow attackers to push malicious apps, wipe devices, or steal sensitive corporate data.
The advisory clarifies that the impact is specific to EPMM. “This vulnerability does not impact any other Ivanti products, including any cloud products, such as Ivanti Neurons for MDM”. Additionally, “Ivanti Endpoint Manager (EPM) is a different product and also not impacted by these vulnerabilities”.
The advisory also touches on a critical concern for defenders: the safety of encrypted private keys stored in the Core database. While Ivanti states that “it is difficult to be able to obtain a password and successfully decrypt the private keys,” they advise caution.
To be safe, “Ivanti recommends revoking previously generated user certificates and regenerating using admin driven action from the EPMM product”.
With active exploitation confirmed, the window for patching is effectively closed. Administrators running Ivanti EPMM must apply the updates immediately to prevent their organizations from becoming the next statistic in this developing campaign.
Related Posts:
- Ivanti EPMM Under Attack: Zero-Day RCE Exploited by China-Linked Group UNC5221
- CISA Warns of Malicious Listener Malware Exploiting Ivanti Endpoint Manager Mobile
- Ivanti EPMM Flaws Exploited in the Wild: Chained RCE and Auth Bypass Threaten Mobile Device Management
- Ivanti EPMM CVE-2024-22026 Vulnerability: Potential for Full System Takeover, PoC Published
Donate