Skip to content
Breachroad
Back to the blog
Vulnerabilities

CVE-2026-1281: a critical Ivanti EPMM zero-day

Ivanti EPMM was hit by a zero-day exploited before disclosure (CVE-2026-1281 and 1340). We explain who's affected and what to do right now.

KR
Karol Rapacz
30 January 2026 · 5 min read
CVE-2026-1281: a critical Ivanti EPMM zero-day

On 29 January 2026, Ivanti disclosed two critical vulnerabilities in Endpoint Manager Mobile (EPMM)CVE-2026-1281 and CVE-2026-1340. The worst part: they were being exploited in attacks before the patches were published. It’s a textbook example of the threat we keep coming back to — flaws in edge appliances, attacked faster than the vendor can ship a fix.

Why it’s so dangerous

EPMM (formerly MobileIron Core) manages a company’s fleet of mobile devices. By its nature it’s often exposed to the internet so employees’ phones can connect from outside the network. That makes it an ideal target: it’s publicly reachable and has privileged access to devices and data.

Vulnerabilities of this class are often chained — an authentication bypass plus remote code execution — giving an attacker control of the server without knowing a password. CISA added CVE-2026-1281 to the KEV (Known Exploited Vulnerabilities) catalog almost immediately, with a very short remediation deadline for federal agencies.

What to do right now

  1. Update EPMM to a patched version — that’s priority number one, not “in the next maintenance window”.
  2. Assume compromise may have occurred if the system was exposed and unpatched. Check the vendor’s indicators of compromise (IOCs), review logs for unusual requests and new accounts.
  3. Reduce exposure — where possible, put the management interface behind a VPN or an allowlist instead of exposing it publicly.
  4. Rotate credentials and keys the server had access to if you suspect a breach.

The broader lesson

Ivanti EPMM isn’t an isolated case — it’s part of a pattern in which edge appliances (VPNs, gateways, management servers) are the first line of attack. The takeaway is simple: an actively exploited vulnerability is urgent regardless of its CVSS score. That’s exactly what we cover in our piece on vulnerability prioritisation — presence in the KEV is the strongest signal to act immediately.

If you’re not sure whether your edge systems are up to date and properly segmented, get in touch — we’ll help set up a rapid-response process for critical flaws.


Sources and further reading: CISA KEV, Rapid7, Ivanti Security Advisories.

Share this article

Services Book a consultation