Ivanti Endpoint Manager Mobile (EPMM) [CVE-2026-1281 & CVE-2026-1340]: Overview & Takeaways

Ivanti has disclosed two critical zero‑day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE‑2026‑1281 and CVE‑2026‑1340. 

Both vulnerabilities have been exploited in active attacks and allow unauthenticated remote threat actors to compromise EPMM appliances. 

According to reports from security researchers and Ivanti’s advisory both CVE‑2026‑1281 and CVE‑2026‑1340 are code injection vulnerabilities in EPMM allowing attackers access to a wide range of information stored on the platform.  

These vulnerabilities allow attackers to bypass security controls and gain unauthorized access to sensitive data on the EPMM Appliance as well as the potential to make configuration changes to devices including authentication settings.  

What do I need to know? 

Vulnerabilities: 

• CVE-2026-1281 – Critical authentication bypass 
• CVE-2026-1340 – Critical SSRF enabling internal access 

Severity: Critical (based on active exploitation, remote unauthenticated attack vector, and potential for full compromise). 

Attack Vector: Remote, unauthenticated exploitation to exposed EPMM appliances. 

Impacted Systems: All currently supported Ivanti Endpoint Manager Mobile (EPMM) versions prior to Ivanti’s patched releases are vulnerable. Internet facing deployments are at highest risk. 

Impact: Exploitation may allow: 

• Unauthorized access to EPMM administrative functionality 
• Issuing internal network requests (via SSRF) to systems reachable by EPMM 
• Full access to sensitive data or systems accessible via EPMM 
• Creation, deletion, and/or modification of data processed by the affected services 
• Lateral movement from compromised EPMM servers into internal infrastructure 

Because the vulnerabilities involve core authentication and request_handling logic, attackers can effectively bypass trust boundaries, increasing risk to enterprise environments. 

What do I need to do? 

We recommend the following steps to identify and remediate this vulnerability: 

Review and Audit 

• Identify all Ivanti EPMM deployments, especially externally exposed instances. 
• Confirm installed versions and check against Ivanti’s advisory for patched releases. 
• Prioritize systems deployed in DMZ or public facing networks. 
• Examine deployment pipelines and images for embedded vulnerable components. 
• Review logs for indicators of compromise, including anomalous authentication requests or suspicious internal SSRF-style activity. 

Patch Immediately 

• Ivanti has released fixes for both CVEs. All customers should apply the latest security update without delay. 
• Apply Ivanti’s security patches for CVE-2026-1281 and CVE-2026-1340. 
• Validate that all nodes (production, disaster recovery, staging, and nonproduction) receive the updates. 
• Follow Ivanti’s post-patch validation and integrity checks. 

Mitigation (If Patching Is Delayed) 

• Restrict public network access to EPMM management and API interfaces (may impact normal operations). 
• Enable or enhance WAF protections to block malformed authentication or SSRF-style requests. 
• Increase monitoring for authentication bypass attempts or unexpected outbound/internal traffic from the EPMM appliance. 
• Segment or isolate EPMM hosts from sensitive internal systems until patching is complete. 

NetSPI Product and Services Coverage 

NetSPI’s External Attack Surface Management team is working to define detection logic for the EPMM vulnerability and is actively developing enhanced signatures that assess exploitability. We are available to support vulnerability identification, patch planning, and compensating control implementation in your environment. 

Additional Resources 

Ivanti Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US 

CVE Entries:  

• https://nvd.nist.gov/vuln/detail/CVE-2026-1281 
• https://nvd.nist.gov/vuln/detail/CVE-2026-1340