Ivanti EPMM: Another Day, Another Pre-Auth RCE (CVE-2026-1281 & CVE-2026-1340)

Ivanti’s security track record has been under the microscope for the last few years, and unfortunately, the trend is continuing. Two new critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, have been identified in Ivanti Endpoint Manager Mobile (EPMM), allowing unauthenticated attackers to achieve remote code execution (RCE).

What’s the threat?

These vulnerabilities allow an attacker to execute arbitrary code on unpatched Ivanti EPMM instances without needing any login credentials. This is particularly dangerous given that these devices sit on the edge of the network and are designed to manage mobile infrastructure.

According to a detailed technical breakdown by the researchers at WatchTowr, who have researched how the exploit works in detail, the root cause is almost hard to believe: Ivanti was using Bash to process information directly from remote endpoints. By sending a specifically crafted request, an attacker can "break out" of the intended command and run their own code directly on the server.

A patch with a catch

While Ivanti has released a security advisory and a mitigation script, there is a significant operational hurdle for defenders.

Currently, the fix is provided as an RPM patch rather than a full version update. Crucially, this patch does not survive a version upgrade.‍

⚠️ Important: If you apply the patch and then subsequently update your EPMM instance to a newer version, the patch will be removed, and your server will be vulnerable again. A permanent fix is not expected until the release of version 12.8.0.0.

Why this matters now

This isn't a theoretical risk. These vulnerabilities were known to be exploited in the wild before they were even disclosed by the vendor. Now that WatchTowr’s research and proof-of-concept (PoC) code are publicly available, we expect a sharp increase in automated scanning and attack activity.

What should you do?

• Apply the mitigation immediately: Download and run the RPM script from Ivanti’s portal.
• Monitor Upgrades: If you perform any maintenance or version upgrades on your EPMM instance, you must re-apply the RPM script immediately afterward.
• Check for Compromise: Because these were exploited as zero-days, use Ivanti’s defenders' guide to check for signs of a breach.

‍

We are actively running an Emerging Threat Scan (ETS) for Intruder Enterprise customers. When new headline vulnerabilities hit, Intruder tells you if you're exposed. Book an intro call or start a free trial today.