Ivanti warns of two EPMM flaws exploited in zero-day attacks
BleepingComputer • • technology
Key Points:
- Ivanti disclosed two critical zero-day code-injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) that allow remote attackers to execute arbitrary code without authentication, both rated with a CVSS score of 9.8.
- The vulnerabilities have been actively exploited in a limited number of cases, prompting Ivanti to release RPM scripts for immediate mitigation without downtime, though these hotfixes must be reapplied after version upgrades until a permanent fix in EPMM 12.8.0.0 is released in Q1 2026.
- Exploitation grants attackers access to sensitive information including user credentials, device details, location data,