Two Critical vulnerabilities in Ivanti’s popular mobile device management solution have been exploited in the wild in limited attacks Key takeaways: Patch Ivanti EPMM immediately. Both CVE-2026-1281 and CVE-2026-1340 have been exploited in the wild, though impact has been limited so far. Apply the temporary RPM patches now while waiting for version 12.8.0.0 to be released in Q1 2026. Threat actors routinely target Ivanti. These products are a frequent target for attackers, as evidenced by the multiple vulnerabilities in EPMM that have been exploited-in-the-wild since 2020. Exploitation risk is high. With public proof-of-concept code already available for both CVEs, expect widespread scanning and exploitation attempts. Background On January 29, Ivanti released a security advisory to address two critical severity remote code execution (RCE) vulnerabilities in its Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, a mobile management software used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM). CVE Description CVSSv3 CVE-2026-1281 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8 CVE-2026-1340 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8 Analysis CVE-2026-1281 and CVE-2026-1340 are both code injection vulnerabilities in Ivanti’s EPMM. An unauthenticated attacker could exploit these vulnerabilities to gain remote code execution. Limited exploitation observed According to Ivanti, both CVE-2026-1281 and CVE-2026-1340 were exploited as zero-days affecting “a very limited number of customers.” Because its investigation is ongoing, Ivanti has not yet provided any indicators of compromise in relation to these attacks. Historical exploitation of Ivanti Endpoint Mobile Manager Ivanti products in general are a popular target for a variety of attackers. EPMM in particular has been targeted in the past, and the Tenable Research Special Operations (RSO) team has authored several blogs about these vulnerabilities. The following table outlines some of the notable EPMM vulnerabilities over the last six years: CVE Description Published Tenable Blogs CVE-2025-4428 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability May 2025 CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution CVE-2025-4427 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability May 2025 CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution CVE-2023-35082 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability August 2025 N/A CVE-2023-35081 Ivanti Endpoint Manager Mobile Remote Arbitrary File Write Vulnerability July 2025 CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability CVE-2023-35078 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability July 2025 CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability CVE-2020-15505 MobileIron Core & Connector Remote Code Execution Vulnerability October 2020 CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities Proof of concept At the time this blog was published on January 30, a public proof-of-concept (PoC) exploit was publicly available. We expect attackers will begin to leverage this PoC to conduct mass scanning and exploitation attempts against vulnerable devices. Solution Ivanti has released temporary updates that can be applied to address these vulnerabilities. According to the advisory, the RPMs supplied should be applied based on the installed version of EPMM. The RPMs will not survive a version upgrade, so if the version is updated, the RPM would need to be applied once again. However, the advisory further notes that an upcoming release, version 12.8.0.0, is expected to be released in Q1 2026., T and this version will include the permanent fix for these CVEs. Once version 12.8.0.0 is released and applied, the RPM scripts will no longer need to be applied. Affected Version RPM Patch Version 12.5.0.0 and prior RPM 12.x.0.x 12.5.1.0 and prior RPM 12.x.1.x 12.6.0.0 and prior RPM 12.x.0.x 12.6.1.0 and prior RPM 12.x.1.x 12.7.0.0 and prior RPM 12.x.0.x For more information on the patches, we strongly recommend reviewing the guidance in the security advisory from Ivanti. Identifying affected systems A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-1281 and CVE-2026-1340 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline . Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Ivanti devices by using the following subscription: Get more information Ivanti Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340) Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340) Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats. Learn more about Tenable One , the Exposure Management Platform for the modern attack surface.