Just when many security teams felt they were finally gaining ground on endpoint hardening, reality struck back. Two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have jumped from quiet bug reports to active exploitation, and attackers are already taking advantage.
Ivanti, a widely trusted name in enterprise mobility management, has confirmed that two zero-day remote code execution flaws, tracked as CVE-2026-1281 and CVE-2026-1340, are being abused in the wild. Both vulnerabilities carry a CVSS score of 9.8, placing them squarely in the “fix this immediately” category. In practical terms, these are the kinds of flaws attackers love: powerful, reliable, and devastating when left unpatched.
What makes this situation especially unsettling is how little effort exploitation requires. These vulnerabilities do not need authentication. No stolen credentials. No phishing email. No insider access. If an Ivanti EPMM instance is reachable over the network, it can become a target.
The vulnerable components sit at the heart of EPMM’s functionality, including in-house app distribution and Android file transfer configuration. These are not obscure features; they’re core systems used to manage corporate mobile devices and enforce security policies. Successful exploitation allows attackers to run arbitrary code, potentially seize control of the appliance, move deeper into the environment, and access sensitive device and user data.
The seriousness of the threat is reflected in how quickly authorities responded. Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, a move typically reserved for flaws actively used in real attacks. U.S. federal agencies have been ordered to apply fixes by early February 2026, a clear signal that this is not a “wait and see” situation.
Ivanti has released interim patches, but there’s an important caveat: they’re temporary. Organizations that upgrade their EPMM appliances before the permanent fix arrives will need to reapply the mitigations. Ivanti says a full, long-term resolution is expected with version 12.8.0.0, slated for release in Q1 2026.
At a time when endpoint platforms are meant to defend the enterprise, this incident is a sharp reminder of an uncomfortable truth: even security tooling can become an attack gateway. In today’s threat landscape, trust isn’t enough, speedy patching and constant vigilance remain non-negotiable.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
