CVE-2026-1281: Ivanti EPMM Unauthenticated Code Injection Enables Full System Compromise

CVE ID: CVE-2026-1281 Vendor: Ivanti Product: Endpoint Manager Mobile (EPMM) Vulnerability Type: Code Injection / Unauthenticated Remote Code Execution CISA KEV Patch Deadline: February 1, 2026

Vulnerability Overview

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability tracked as CVE-2026-1281 that allows unauthenticated remote attackers to execute arbitrary code on affected systems. No credentials are required to trigger the flaw. Successful exploitation runs attacker-supplied code under the privileges of the EPMM service process.

EPMM is Ivanti's enterprise mobile device management (MDM) platform, deployed by organizations to manage, monitor, and enforce policy on corporate mobile fleets. Its position as a management plane — with direct authority over enrolled devices and network resources — makes this vulnerability particularly high-value for attackers seeking broad access.

Technical Details

The flaw resides in the EPMM application layer and permits code injection without prior authentication. An attacker with network access to the EPMM interface can send a malformed or specially crafted request that the platform processes without first validating the caller's identity. The injected code executes server-side under the EPMM service context.

Because EPMM instances are frequently exposed to the internet or reachable from enterprise DMZs to support remote device enrollment and management, the attack surface is broad. Organizations that have not restricted external access to EPMM administrative interfaces face the highest exposure.

No public CVSS score has been formally assigned at the time of publication, but the combination of unauthenticated access, remote attack vector, and direct code execution maps to critical severity under standard scoring methodology. CISA's inclusion of this CVE in its Known Exploited Vulnerabilities (KEV) catalog and the binding operational directive deadline of February 1, 2026 for federal agencies confirms active exploitation is either confirmed or assessed as highly likely.

Real-World Impact

A successful exploit gives an attacker code execution at the privilege level of the EPMM service. From that foothold, an attacker can:

  • Access device management functions — read device inventories, push malicious configuration profiles, wipe or lock enrolled devices, or extract MDM enrollment credentials.
  • Move laterally — pivot from the EPMM server into adjacent enterprise infrastructure using harvested credentials, API tokens, or service account privileges stored by the platform.
  • Exfiltrate sensitive data — EPMM stores device identifiers, user-to-device mappings, VPN configurations, Wi-Fi credentials, and enterprise application data, all of which become accessible post-exploitation.
  • Persist on managed endpoints — by abusing legitimate MDM push capabilities, an attacker can deploy malicious applications or configuration changes to every enrolled mobile device in the organization.

Ivanti products have been targeted repeatedly by state-sponsored and financially motivated groups. CVE-2023-35078 and CVE-2023-35081, both affecting Ivanti EPMM, were exploited in the wild before patches were widely applied. Norwegian government ministries were compromised through those flaws. CVE-2026-1281 follows the same product and vulnerability class, making historical exploitation patterns directly relevant to current risk assessments.

Organizations in government, healthcare, and critical infrastructure that rely on EPMM for mobile fleet management carry elevated risk given their regulatory visibility and the sensitivity of managed device data.

Affected Versions

Ivanti has not publicly narrowed the affected version range beyond confirming EPMM is impacted. Treat all EPMM deployments as vulnerable until Ivanti's security advisory specifies fixed versions and your environment is confirmed patched.

Patching and Mitigation Guidance

1. Apply Ivanti's security update immediately. Access Ivanti's official security advisory portal and apply the patch designated for CVE-2026-1281. Federal agencies under CISA's binding operational directive must complete remediation by February 1, 2026. All other organizations should treat this as an emergency patch cycle given the unauthenticated RCE nature of the flaw.

2. Isolate internet-exposed EPMM instances pending patching. If patching cannot be completed immediately, restrict network access to the EPMM administrative interface. Block inbound connections from the internet and limit access to trusted internal IP ranges or VPN egress points. Do not rely on network controls as a long-term substitute for patching.

3. Audit EPMM access logs for exploitation indicators. Review server-side logs for anomalous or malformed requests to EPMM API and administrative endpoints. Look for unexpected process spawning from the EPMM service, outbound connections initiated by the EPMM process, or changes to enrolled device configurations outside normal change windows.

4. Rotate credentials and tokens stored in EPMM. If exploitation is suspected or cannot be ruled out, rotate all credentials the EPMM platform stores or has access to — including service account passwords, API tokens, VPN pre-shared keys, and Wi-Fi passphrases distributed via MDM profiles.

5. Review enrolled device integrity. For any EPMM deployment where exploitation is confirmed or suspected, audit enrolled devices for unauthorized configuration profiles, newly installed applications, or policy changes that occurred outside approved administrative sessions.

6. Monitor for lateral movement. Correlate EPMM server activity with network detection rules targeting unusual outbound connections, credential reuse across systems, and access to internal resources from the EPMM host. Alert on any administrative actions taken against enrolled devices outside of established change management processes.

References