Security Advisory 2026-001

Key Takeaways

• Two critical code injection vulnerabilities (CVE-2026-1281, CVE-2026-1340) affect Ivanti Endpoint Manager Mobile (EPMM).
• Both vulnerabilities carry a CVSS score of 9.8 and allow unauthenticated remote code execution.
• At least one of these vulnerabilities is actively being exploited in the wild in a limited number of cases.
• Hotfixes (RPM 12.x.0 or RPM 12.x.1) are available but do not survive version upgrades and must be reapplied.
• A permanent fix is planned for release 12.8.0.0 in Q1 2026.

Affected Systems

• Ivanti Endpoint Manager Mobile (EPMM) 12.5.1.0 and prior
• Ivanti Endpoint Manager Mobile (EPMM) 12.6.1.0 and prior
• Ivanti Endpoint Manager Mobile (EPMM) 12.7.0.0 and prior

Vulnerabilities (CVEs)

• CVE-2026-1281
• CVE-2026-1340

Attack Chain

An unauthenticated remote attacker targets a vulnerable Ivanti Endpoint Manager Mobile (EPMM) appliance exposed to the network. By exploiting a code injection vulnerability (CVE-2026-1281 or CVE-2026-1340), the attacker forces the application to execute arbitrary commands. This results in unauthenticated remote code execution, allowing the attacker to compromise the appliance and potentially pivot into the internal network or manipulate mobile device management infrastructure.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Low — Ivanti EPMM is a proprietary appliance, which typically restricts or prevents the installation of standard third-party EDR agents. Network Visibility: Medium — Network sensors and WAFs can potentially inspect inbound traffic for exploitation attempts, though HTTPS encryption requires SSL inspection. Outbound connections from the appliance to unknown IPs can also be monitored. Detection Difficulty: Hard — Without specific payload signatures or IOCs provided in the advisory, detection relies entirely on identifying anomalous behavior on a closed appliance system.

Required Log Sources

• Web Application Firewall (WAF) logs
• Network flow logs
• Appliance HTTP access and error logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Monitor for unexpected outbound network connections originating from the Ivanti EPMM appliance to external, non-vendor IP addresses.	Network flow logs, Firewall logs	Command and Control	Medium
Look for anomalous child processes or shell executions originating from the EPMM web service processes, if appliance-level logging is accessible.	Appliance process execution logs	Execution	Low

Control Gaps

• Lack of EDR support on proprietary appliances
• Inability to easily inspect encrypted web traffic to the appliance without SSL decryption

Key Behavioral Indicators

• Anomalous web requests to EPMM endpoints
• Unexpected outbound network traffic from the appliance

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply the hotfix (RPM 12.x.0 or RPM 12.x.1) provided by Ivanti immediately to vulnerable EPMM appliances.
• Secure forensic evidence from the appliance to investigate potential prior compromise before patching.

Infrastructure Hardening

• Restrict access to the Ivanti EPMM administrative interfaces to trusted IP addresses or dedicated management networks.
• Ensure the hotfix script is reapplied if the appliance is upgraded, as the script does not survive version upgrades prior to 12.8.0.0.

User Protection

• N/A

Security Awareness

• Inform IT and security operations teams that the current hotfix is temporary and must be reapplied during any intermediate upgrades until the permanent fix (12.8.0.0) is deployed.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1059 - Command and Scripting Interpreter