DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1281: Ivanti EPMM Code Injection: Unlocking the Mobile Kingdom

#security #cve #cybersecurity

Ivanti EPMM Code Injection: Unlocking the Mobile Kingdom

Vulnerability ID: CVE-2026-1281
CVSS Score: 9.8
Published: 2026-01-29

A critical unauthenticated Remote Code Execution (RCE) vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. This flaw allows attackers to inject arbitrary code into the server without logging in, granting full system access. It is currently being actively exploited in the wild by ransomware groups and state-sponsored actors.

TL;DR

Unauthenticated RCE in Ivanti EPMM (MobileIron). CVSS 9.8. Attackers send a specific packet, the server executes it as code, and they own your MDM. Patch immediately.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-94 (Code Injection)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (Unauthenticated)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Active Exploitation (CISA KEV)
  • EPSS: High (Assumed >90%)

Affected Systems

  • Ivanti Endpoint Manager Mobile (EPMM) 12.7.0.0
  • Ivanti Endpoint Manager Mobile (EPMM) 12.6.1.0
  • Ivanti Endpoint Manager Mobile (EPMM) 12.6.0.0
  • Ivanti Endpoint Manager Mobile (EPMM) 12.5.1.0
  • Ivanti Endpoint Manager Mobile (EPMM) 12.5.0.0
  • Ivanti Endpoint Manager Mobile (EPMM): <= 12.7.0.0 (Fixed in: RPM Update 1761642)

Exploit Details

Mitigation Strategies

  • Restrict internet access to the EPMM management interface immediately.
  • Apply vendor-supplied RPM patches.
  • Isolate the appliance on a segmented management network.

Remediation Steps:

  1. Log in to the Ivanti EPMM CLI (Command Line Interface).
  2. Enter 'enable' mode.
  3. Download the security update RPM: ivanti-security-update-1761642-1.0.0S-5.noarch.rpm.
  4. Install the update using the software update command.
  5. Reboot the appliance to ensure all services reload the patched code.
  6. Verify the patch installation via the show rpm command.

References

Read the full report for CVE-2026-1281 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)