Ivanti Endpoint Manager Mobile, unauthenticated code injection
A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows a remote, unauthenticated attacker to achieve remote code execution on affected systems. The issue stems from improper control of code generation and affects EPMM versions up to and including 12.7.0.0. Successful exploitation results in arbitrary code execution in the context of the EPMM application.
Overview
CVE-2026-1281 is a critical (CVSS 9.8) code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), the unified endpoint and mobile device management platform. The flaw permits a remote, unauthenticated attacker to execute arbitrary code on a vulnerable EPMM instance. It was disclosed as an actively exploited zero-day, chained in observed attacks with CVE-2026-1340, and CISA added it to the Known Exploited Vulnerabilities catalog on January 29, 2026, the same day NVD published the record. Because EPMM is typically internet-facing to manage remote devices, the exposure is significant.
Technical Details
The vulnerability is classified as CWE-94 (improper control of generation of code, or code injection). Affected functionality includes the in-house application distribution and Android file transfer configuration features, where attacker-controlled input is incorporated into code that is subsequently executed by the server. No authentication, privileges, or user interaction are required, and the impact spans confidentiality, integrity, and availability. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability affects EPMM versions up to and including 12.7.0.0.
Impact
- Unauthenticated remote code execution on the EPMM server.
- Compromise of managed mobile device inventory, policies, and enrolled credentials.
- Potential lateral movement from the EPMM host into internal infrastructure.
- Exposure of sensitive corporate data delivered through managed applications.
Mitigation
- Apply the Ivanti-provided interim (RPM-based) patches for your currently supported EPMM version immediately; note these interim patches do not persist across version upgrades.
- Plan to install the permanent fix delivered in EPMM release 12.8.0.0, after which the interim patch is superseded.
- Restrict network exposure of the EPMM management interface to trusted networks where operationally feasible.
- Following remediation, treat any internet-exposed appliance as potentially compromised and perform incident response, including credential rotation.
Detection
Hunt for exploitation in EPMM application and web server logs, focusing on requests to the in-house application distribution and Android file transfer configuration endpoints. GreyNoise reported a concentration of exploitation traffic, with the majority of observed sessions originating from 193.24.123[.]42. Inspect for unexpected child processes spawned by the EPMM service, newly written web shells or binaries, and anomalous outbound connections. CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on January 29, 2026, with a remediation due date of February 1, 2026.