CVE-2026-1281 and CVE-2026-1340 are two code injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), an enterprise mobility management platform used to manage and secure mobile device fleets across iOS, Android, and other endpoints. Both flaws reside in server-side Bash scripts invoked by Apache HTTP Server’s The two vulnerabilities carry a CVSS v3.1 base score of 9.8 (Critical). Neither requires authentication, credentials, or user interaction. An attacker with network access to an exposed EPMM instance can exploit either flaw by sending a specially crafted HTTP GET request containing a command substitution payload in the The two flaws are typically chained: CVE-2026-1281 provides the initial code execution vector via the Both vulnerabilities affect on-premises installations of Ivanti Endpoint Manager Mobile across all supported major version lines through 12.7.x. The cloud-hosted Ivanti Neurons for MDM product is not affected. Ivanti Endpoint Manager (EPM), a separate product, is also not affected. Customers running Ivanti Sentry alongside EPMM should additionally check Sentry-accessible systems for signs of reconnaissance or lateral movement.<\/p>\n\n\n\n Affected assets are typically internet-exposed EPMM appliances deployed at the network perimeter to enable remote mobile device management. Because EPMM must be reachable by managed devices, including those operating outside the corporate network, many installations are intentionally accessible from the public internet. This makes them attractive and reachable targets without any need for an attacker to first penetrate internal network defenses.<\/p>\n\n\n\n Public internet scanning data indicates roughly 1,600 exposed EPMM instances were observable on the internet at the time of disclosure. These appliances hold privileged access to managed mobile devices, including stored personally identifiable information such as names, email addresses, phone numbers, and GPS data, as well as the ability to push configuration and application changes to enrolled endpoints. <\/p>\n\n\n\n This combination of internet exposure and privileged access to device fleets places unpatched EPMM instances among the higher-risk categories of enterprise infrastructure.<\/p>\n\n\n\n Patches are available. Ivanti released version-specific RPM scripts on January 29, 2026, covering all affected major version lines through 12.7.x. Customers must apply either RPM 12.x.0.x or RPM 12.x.1.x depending on their installed version. Only one RPM is required per installation, and Ivanti has confirmed that applying the patch requires no downtime and has no known feature functionality impact.<\/p>\n\n\n\n One important caveat applies to the RPM patches: they do not survive a version upgrade. If an EPMM appliance is upgraded to a newer version after the RPM has been applied, the RPM must be reinstalled. A permanent fix integrating the remediation into the core product is included in version 12.8.0.0, which Ivanti had been targeting for Q1 2026. Defenders should confirm the availability and release status of 12.8.0.0 directly with Ivanti before treating a version upgrade as equivalent to applying the patch.<\/p>\n\n\n\n Defenders should review their EPMM appliance’s Apache HTTPD access logs using the vendor-provided regular expression query, available in Ivanti’s Analysis Guidance advisory, to triage for prior exploitation activity. <\/p>\n\n\n\n Given that active exploitation was confirmed before public disclosure, organizations with internet-exposed EPMM instances should treat any unpatched appliance as potentially compromised and conduct compromise assessment before returning it to normal operation.<\/p>\n\n\n\nRewriteMap<\/code> feature. Unsafe handling of attacker-controlled input within arithmetic expansion logic allows injected commands to be evaluated and executed by the underlying shell.<\/p>\n\n\n\nh<\/code> parameter of a known application distribution endpoint.<\/p>\n\n\n\nmap-appstore-url<\/code> script, while CVE-2026-1340 affects the adjacent map-aft-store-url<\/code> script. Together, they allow a remote, unauthenticated attacker to achieve arbitrary code execution on the EPMM appliance. Successful exploitation has been observed resulting in web shell deployment, reverse shell establishment, cryptominer installation, secondary payload retrieval, and persistent backdoor installation.<\/p>\n\n\n\nWhat assets are affected by CVE-2026-1281 and CVE-2026-1340?<\/h2>\n\n\n\n
Are fixes available?<\/h2>\n\n\n\n
Are there any other recommended actions to take?<\/h2>\n\n\n\n