CVE-2026-1281: a critical Ivanti EPMM zero-day
Ivanti EPMM was hit by a zero-day exploited before disclosure (CVE-2026-1281 and 1340). We explain who's affected and what to do right now.
On 29 January 2026, Ivanti disclosed two critical vulnerabilities in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340. The worst part: they were being exploited in attacks before the patches were published. It’s a textbook example of the threat we keep coming back to — flaws in edge appliances, attacked faster than the vendor can ship a fix.
Why it’s so dangerous
EPMM (formerly MobileIron Core) manages a company’s fleet of mobile devices. By its nature it’s often exposed to the internet so employees’ phones can connect from outside the network. That makes it an ideal target: it’s publicly reachable and has privileged access to devices and data.
Vulnerabilities of this class are often chained — an authentication bypass plus remote code execution — giving an attacker control of the server without knowing a password. CISA added CVE-2026-1281 to the KEV (Known Exploited Vulnerabilities) catalog almost immediately, with a very short remediation deadline for federal agencies.
What to do right now
- Update EPMM to a patched version — that’s priority number one, not “in the next maintenance window”.
- Assume compromise may have occurred if the system was exposed and unpatched. Check the vendor’s indicators of compromise (IOCs), review logs for unusual requests and new accounts.
- Reduce exposure — where possible, put the management interface behind a VPN or an allowlist instead of exposing it publicly.
- Rotate credentials and keys the server had access to if you suspect a breach.
The broader lesson
Ivanti EPMM isn’t an isolated case — it’s part of a pattern in which edge appliances (VPNs, gateways, management servers) are the first line of attack. The takeaway is simple: an actively exploited vulnerability is urgent regardless of its CVSS score. That’s exactly what we cover in our piece on vulnerability prioritisation — presence in the KEV is the strongest signal to act immediately.
If you’re not sure whether your edge systems are up to date and properly segmented, get in touch — we’ll help set up a rapid-response process for critical flaws.
Sources and further reading: CISA KEV, Rapid7, Ivanti Security Advisories.