CVE-2026-1281: Ivanti EPMM Code Injection Flaw Enables Unauthenticated Remote Code Execution

CVE-2026-1281: Ivanti EPMM Code Injection Flaw Enables Unauthenticated Remote Code Execution

Affected Product: Ivanti Endpoint Manager Mobile (EPMM) Vendor: Ivanti CVE ID: CVE-2026-1281 Vulnerability Type: Code Injection — Unauthenticated Remote Code Execution CISA KEV Patch Deadline: February 1, 2026 (Federal Agencies)

---

Vulnerability Overview

CVE-2026-1281 is a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The flaw allows an unauthenticated remote attacker to execute arbitrary code directly on affected EPMM instances without supplying any valid credentials. Authentication bypass is implicit — an attacker on a network path to the EPMM server can send crafted requests that trigger code execution at the application level.

Ivanti has confirmed the vulnerability and released patches. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog and mandated that all federal civilian executive branch (FCEB) agencies apply the patch no later than February 1, 2026.

---

Technical Analysis

The root cause is a code injection flaw within EPMM's server-side processing logic. When EPMM handles specific incoming requests, it fails to properly sanitize or restrict user-supplied input before passing it to an execution context. This allows an attacker to inject malicious code that the server processes and runs with the privileges of the EPMM application process.

Because the vulnerability operates pre-authentication, no account compromise, phishing campaign, or credential theft is required as a precondition. An attacker with network access to the EPMM administrative interface or API endpoint can trigger execution directly.

Ivanti EPMM is an enterprise mobile device management (MDM) platform. Organizations deploy it to manage, configure, and enforce security policy on mobile endpoints across their environment. EPMM instances typically hold mobile device enrollment records, configuration profiles, VPN credentials, Wi-Fi certificates, and email account configurations for the devices they manage. Compromising the EPMM server gives an attacker access to this data and potential lateral movement paths into managed mobile infrastructure.

---

Real-World Impact

A successful exploit against CVE-2026-1281 gives an attacker arbitrary code execution on the EPMM server. From that position, an attacker can:

• Extract MDM enrollment credentials and device certificates stored on the EPMM instance
• Modify or push malicious configuration profiles to managed mobile devices
• Access stored VPN and Wi-Fi credentials that mobile endpoints use to connect to internal networks
• Pivot from the EPMM server toward internal network segments, as MDM infrastructure typically maintains trust relationships with enterprise systems
• Exfiltrate device inventories, which may include user identities, device hardware details, and OS versions useful for further targeting

Ivanti EPMM has been targeted previously. In 2023, CVE-2023-35078 and CVE-2023-35081 — both affecting EPMM — were actively exploited by a threat actor linked to Norwegian government network intrusions, as documented by CISA and Norway's National Security Authority (NSM). Organizations running Ivanti MDM infrastructure should treat this new vulnerability with the same operational urgency.

Exposure risk increases for organizations that have published their EPMM administrative interface to the internet or have not placed it behind a VPN or zero-trust access gateway. EPMM instances reachable from untrusted networks without network-layer controls are at direct risk of unauthenticated exploitation.

---

Affected Versions

Organizations should consult Ivanti's official security advisory to confirm the specific EPMM versions affected by CVE-2026-1281. Ivanti publishes version-specific patch guidance through its security portal at https://www.ivanti.com/security.

---

Patching and Mitigation Guidance

1. Apply Ivanti's Patch Immediately Ivanti has released a security update addressing CVE-2026-1281. All organizations running EPMM must apply the vendor patch without delay. FCEB agencies are under a mandatory CISA deadline of February 1, 2026, but all operators should treat this as critical regardless of regulatory obligation.

2. Isolate EPMM Instances Pending Patching If patching cannot be completed immediately, restrict network access to the EPMM server. Place it behind a firewall or VPN gateway that limits access to known administrative source IPs only. Remove any public internet exposure of the EPMM interface.

3. Audit EPMM Logs for Exploitation Indicators Review EPMM application and access logs for anomalous unauthenticated requests, unexpected process execution, or outbound connections from the EPMM host to unfamiliar destinations. Establish a baseline and look for deviations consistent with post-exploitation activity.

4. Rotate Credentials and Certificates Stored in EPMM If there is any indication the EPMM instance was accessible from untrusted networks before patching, treat all credentials, VPN certificates, and Wi-Fi keys stored within EPMM as potentially compromised. Rotate them proactively.

5. Monitor CISA KEV and Ivanti Advisories CISA's KEV catalog entry for CVE-2026-1281 will be updated as additional exploitation evidence is confirmed. Ivanti's security advisory page should be monitored for any supplemental patches or configuration guidance.

---

References

• Ivanti Security Advisory: https://www.ivanti.com/security
• CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• CISA BOD 22-01 (Federal Patch Mandate): https://www.cisa.gov/binding-operational-directive-22-01