CVE-2026-1281

Published Jan 29, 2026

Last updated 2 days ago

Exploit known CVSS critical 9.8

Ivanti Endpoint Manager Mobile

Overview

Description: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
NVD status: Analyzed
Products: endpoint_manager_mobile

Insights

Analysis from the Intruder Security Team

Published Jan 30, 2026 Updated Jan 30, 2026

This and the similar vulnerability CVE-2026-1340 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.

A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.

Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.

This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Exploit added on: Jan 29, 2026
Exploit action due: Feb 1, 2026
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

3c1d8aa1-5a33-4ea4-8992-aadd6440af75: CWE-94

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1E4CDBD6-451C-4F5F-B40A-05AEF284FB9C",
            "versionEndIncluding": "12.5.0.0"
          },
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "66F18E48-8F45-480C-AD0D-D6A615FD6157"
          },
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "13B3B9E5-6206-41C3-BC9E-A5AAEBA88A96"
          },
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1E44BEF4-A032-4D05-83AA-AFD52C56EA8E"
          },
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "79879C08-959D-49BD-947C-914F82B564E4"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.