CVE-2026-1281

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.8.0.0 Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.7.0.0

Description A code injection flaw exists in Ivanti Endpoint Manager Mobile (EPMM) that allows attackers to achieve unauthenticated remote code execution (RCE). This issue is actively exploited in zero-day attacks. Approximately 1600 instances worldwide are exposed, with a high concentration in Germany. The root cause is improper input handling in a server-side template rendering pathway, allowing attacker-controlled expressions to be evaluated, resulting in arbitrary code execution. Attackers can discover internet-exposed EPMM management interfaces and send crafted requests to trigger code execution. Successful exploitation can lead to full remote compromise of the EPMM server, potential takeover of the MDM infrastructure, credential exposure, and the ability to pivot into internal networks. The vulnerability is related to a template rendering workflow exposed via the management interface.

Recommendations Ivanti Endpoint Manager Mobile versions prior to 12.8.0.0: Apply the emergency RPM patch provided by Ivanti, and re-install it after any upgrades. Ivanti Endpoint Manager Mobile versions prior to 12.7.0.0: Apply Ivanti’s security updates for EPMM as published in the official advisory channel. Restrict access to management ports (typically 443/8443) to VPN/jump hosts and allowlisted IPs only. If feasible, disable non-essential template/rendering features/endpoints until patched. Review EPMM logs for unusual POST activity to template-related services, authentication anomalies, and unexpected child processes spawned by Java services. Monitor for new files under EPMM install paths and suspicious outbound connections from the EPMM host. If exploitation is suspected, isolate the host, preserve disk/memory, rotate all integration secrets, and review recent device profile/app pushes for tampering.