CVE-2026-1281
Description
Critical unauthenticated RCE in Ivanti EPMM (CVSS 9.8) is actively exploited. Patch versions 12.5.0.0 through 12.7.0.0 immediately.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| endpoint_manager_mobile | * | 12.5.0.0 | vulnerable |
| endpoint_manager_mobile | 12.5.1.0 | 12.5.1.0 | vulnerable |
| endpoint_manager_mobile | 12.6.0.0 | 12.6.0.0 | vulnerable |
| endpoint_manager_mobile | 12.6.1.0 | 12.6.1.0 | vulnerable |
| endpoint_manager_mobile | 12.7.0.0 | 12.7.0.0 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Immediately download and install the security update RPM packages (e.g., v1761642-1.0.0S or 1.0.0L) provided by Ivanti specifically for the EPMM platform to resolve the code injection vulnerability.
Update affected systems
Ensure all instances of Ivanti Endpoint Manager Mobile running versions up to and including 12.5.0.0, 12.5.1.0, 12.6.0.0, 12.6.1.0, and 12.7.0.0 are updated to the latest secure release.
Restrict access
Minimize the attack surface by restricting network access to the EPMM management interface. Use VPNs, IP allowlisting, or firewalls to ensure the service is not unnecessarily exposed to the public internet.
Monitor for exploitation
Conduct a thorough review of system logs for signs of compromise, specifically looking for unauthorized shell commands or suspicious web requests that deviate from normal administrative traffic patterns.
Detection Guidance
To detect potential exploitation of CVE-2026-1281, security teams should analyze web server access logs for anomalous POST requests containing code snippets or unexpected command syntax. Monitor for suspicious child processes spawned by the EPMM service, such as /bin/sh or /bin/bash. Additionally, verify the presence of the vendor-supplied security update RPMs on the filesystem and use network intrusion detection systems (NIDS) to flag traffic patterns indicative of remote code injection.