CVE-2026-1281

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.8.0.0

Description Ivanti Endpoint Manager Mobile (EPMM) contains a code injection flaw that allows attackers to achieve unauthenticated remote code execution (RCE). This vulnerability, actively exploited in the wild, enables attackers to compromise the EPMM server and potentially the entire mobile device management (MDM) infrastructure. Exploitation attempts have been observed globally, with a significant portion originating from a single IP address. Attackers have been observed planting dormant webshells for later access and potential data theft. The vulnerability is related to improper input handling in a server-side template rendering pathway, allowing attacker-controlled expressions to be evaluated, resulting in arbitrary code execution. The /mifs/403.jsp endpoint is associated with the exploitation of this vulnerability. The vulnerability has been assigned the identifier CVE-2026-1281 and has been added to the CISA Known Exploited Vulnerabilities Catalog. Reports indicate exploitation activity dating back to July 2025. Approximately 16,000 exposed instances have been identified worldwide, with Germany being a top location.

Recommendations Apply Ivanti’s security updates for EPMM as published in the official advisory channel and confirm the installed version is the fixed one. Restart the EPMM app server to flush any in-memory implants. Restrict access to management ports (typically 443/8443) to VPN/jump hosts and allowlisted IPs only. If patching is not immediately possible, disable non-essential template/rendering features/endpoints until a patch can be applied. Review EPMM logs for unusual POST activity to template-related services, authentication anomalies, and unexpected child processes spawned by Java services. Monitor for new files under EPMM install paths and suspicious outbound connections from the EPMM host. If exploitation is suspected, isolate the host, preserve disk/memory, rotate all integration secrets (AD/LDAP/CA/SCEP/SMTP/API keys), and review recent device profile/app pushes for tampering.