CVE-2026-1281

CISA KEV

Published January 29, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2026-1281: Ivanti EPMM Unauthenticated RCE Ivanti Endpoint Manager Mobile (EPMM) contains a code injection flaw allowing attackers to execute arbitrary code remotely without authentication. An attacker exploiting this vulnerability gains full system access to affected EPMM instances, potentially compromising all enrolled mobile devices and their data. Patch EPMM immediately, isolate affected instances from production networks pending updates, and audit logs for exploitation attempts targeting your EPMM deployments.

Official Description+

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Affected Products

Vendor	Product
Ivanti	Endpoint Manager Mobile (EPMM)

Patch Status

Patch by 2026-02-01

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-1281.

Related Coverage

Vvulnerability

CVE-2026-1281: Ivanti EPMM Unauthenticated Code Injection Enables Full System Compromise

CVE-2026-1281 is an unauthenticated code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows remote attackers to execute arbitrary code without credentials, gaining control of the EPMM service and access to all managed mobile devices and enterprise infrastructure. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and mandates federal agency patching by February 1, 2026. Organizations should patch immediately, isolate exposed instances, rotate stored credentials, and audit logs for signs of exploitation.

CISA KEV·64d ago·3 min read