1. Home
  2. Vulnerabilities
  3. CVE-2026-1281
Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2026-1281
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability - [Actively Exploited]
Description

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

INFO

Published Date :

Jan. 29, 2026, 10:15 p.m.

Last Modified :

Jan. 30, 2026, 1:28 p.m.

Remotely Exploit :

Yes !

Source :

3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please: see: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm ; https://nvd.nist.gov/vuln/detail/CVE-2026-1281

Affected Products

The following products are affected by CVE-2026-1281 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Ivanti endpoint_manager_mobile
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CVSS 3.1 CRITICAL MITRE-CVE
Solution
Apply vendor patches for Ivanti Endpoint Manager Mobile to fix remote code execution.
  • Update Ivanti Endpoint Manager Mobile to the latest version.
  • Apply all vendor-released security patches.
  • Review Ivanti's security advisories for specific instructions.
Public PoC/Exploit Available at Github

CVE-2026-1281 has a 9 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-1281.

URL Resource
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 PatchVendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-1281 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-1281 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
kali1129/ai-pentest-proxy

AI Pentest Proxy es una herramienta profesional de seguridad ofensiva que combina la potencia de múltiples modelos de inteligencia artificial con técnicas avanzadas de pentesting para identificar, confirmar y explotar vulnerabilidades web de forma autónoma.

pentesting pentesting-tools ia-to

Python Shell JavaScript HTML CSS

Updated: 1 day, 13 hours ago
1 stars 0 fork 0 watcher
Born at : March 6, 2026, 2:22 p.m. This repo has been linked 9 different CVEs too.
Profile Photo
kapetanios55/SentinelCBContent

None

Shell Python

Updated: 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 20, 2026, 10:40 p.m. This repo has been linked 23 different CVEs too.
Profile Photo
YunfeiGE18/CVE-2026-1281-CVE-2026-1340-Ivanti-EPMM-RCE

A simple demo application that shows how to reproduce the Ivanti EPMM pre-auth RCE vulnerability (CVE-2026-1281 / CVE-2026-1340) for educational and security research purposes.

Dockerfile Shell

Updated: 2 weeks, 6 days ago
1 stars 0 fork 0 watcher
Born at : Feb. 19, 2026, 9:29 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
eminentv/cve

cve

Dockerfile Rust

Updated: 3 weeks, 2 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 16, 2026, 7:39 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE

Proof of Concept for CVE-2026-1281 & CVE-2026-1340 - Ivanti EPMM Pre-Auth RCE via Bash Arithmetic Expansion

Shell Python

Updated: 1 month ago
1 stars 0 fork 0 watcher
Born at : Feb. 7, 2026, 11:28 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
lucacapacci/PoC-in-GitHub

Mirror of https://github.com/nomi-sec/PoC-in-GitHub

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Feb. 7, 2026, 10:02 a.m. This repo has been linked 789 different CVEs too.
Profile Photo
Ashwesker/Ashwesker-CVE-2026-1281

CVE-2026-1281

Python

Updated: 1 month, 1 week ago
2 stars 0 fork 0 watcher
Born at : Feb. 1, 2026, 9:57 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
barkandbite/iranian-apt-detection

None

Shell

Updated: 2 days, 18 hours ago
0 stars 0 fork 0 watcher
Born at : June 25, 2025, 1:50 p.m. This repo has been linked 6 different CVEs too.
Profile Photo
nomi-sec/PoC-in-GitHub

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 17 hours, 35 minutes ago
7566 stars 1243 fork 1243 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 764 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-1281 vulnerability anywhere in the article.

  • Daily CyberSecurity
Cyber Escalation in the Middle East: Disruption, Deception, and the Quest for Data

A new report from Rapid7 Labs highlights a significant spike in retaliatory cyber activity targeting both regional and Western infrastructure, characterized by a mix of state-directed espionage and a ... Read more

Published Date: Mar 12, 2026 (11 hours, 5 minutes ago)
  • TheCyberThrone
CISA KEV Catalog Update – March 9 2026

March 10, 2026CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog today, based on evidence of active exploitationCVE-2026-1603 — Ivanti Endpoint Manager (EPM) ... Read more

Published Date: Mar 10, 2026 (2 days, 11 hours ago)
  • europa.eu
Cyber Brief 26-03 - February 2026

Cyber Brief (February 2026)March 2, 2026 – Version: 1TLP:CLEARExecutive summaryWe analysed 303 open source reports for this Cyber Security Brief1.Relating to cyber policy and law enforcement, the Euro ... Read more

Published Date: Mar 02, 2026 (1 week, 2 days ago)
  • The Register
Attacker gets into France's database listing all bank accounts, makes off with 1.2 million records

Infosec In Brief An unknown attacker accessed the French government’s database listing every bank account in the country and made off with 1.2 million records. France’s Ministry of Economics, Finance ... Read more

Published Date: Feb 22, 2026 (2 weeks, 3 days ago)
  • CybersecurityNews
Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in The Wild Targeting Corporate Networks

Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have emerged as a major threat to enterprise networks, with active exploitation campaigns targeting corporate infrastruct ... Read more

Published Date: Feb 18, 2026 (3 weeks ago)
  • security.nl
'Kritieke Ivanti-kwetsbaarheid sinds zomer vorig jaar misbruikt bij aanvallen'

De Duitse overheid beschikt over technische informatie dat een kritieke kwetsbaarheid in Ivanti EPMM sinds de zomer van vorig jaar is misbruikt bij aanvallen. Op 29 januari dit jaar kwam Ivanti met be ... Read more

Published Date: Feb 18, 2026 (3 weeks ago)
  • The Cyber Express
Attackers Deploy Dormant Backdoors in Ivanti EPMM to Bypass Patching of Latest 0-Days

Threat actors weaponized two Ivanti zero-days so quickly that security teams discovered web shells already installed on servers—using arithmetic expansion in bash scripts to slip past authentication e ... Read more

Published Date: Feb 18, 2026 (3 weeks, 1 day ago)
  • Daily CyberSecurity
“Dormant” Backdoors: Ivanti EPMM Zero-Days Exploited to Plant Long-Term Spies

Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are currently being exploited in a widespread campaign to compromise enterprise networks across the globe. A new report f ... Read more

Published Date: Feb 18, 2026 (3 weeks, 1 day ago)
  • CybersecurityNews
Single IP Dominates Exploitation Campaign Attacking Ivanti EPMM with RCE Vulnerability

Single IP Dominates Ivanti EPMM with RCE Vulnerability A critical remote code execution (RCE) flaw in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281, is being heavily exploited. GreyN ... Read more

Published Date: Feb 16, 2026 (3 weeks, 2 days ago)
  • Help Net Security
Week in review: Exploited newly patched BeyondTrust RCE, United Airlines CISO on building resilience

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: United Airlines CISO on building resilience when disruption is inevitable In this Help Net Security in ... Read more

Published Date: Feb 15, 2026 (3 weeks, 4 days ago)
  • security.nl
NCSC publiceert verbeterd script voor detectie van gehackte Ivanti-servers

Het Nationaal Cyber Security Centrum (NCSC) heeft in samenwerking met Ivanti een verbeterd script gepubliceerd om gehackte Ivanti Endpoint Manager Mobile (EPMM) servers te detecteren en roept Nederlan ... Read more

Published Date: Feb 13, 2026 (3 weeks, 6 days ago)
  • The Hacker News
83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting inf ... Read more

Published Date: Feb 12, 2026 (1 month ago)
  • CybersecurityNews
Massive Spike in Attacks Exploiting Ivanti EPMM Systems 0-day Vulnerability

Ivanti EPMM 0-day Vulnerability Exploited An unprecedented surge in exploitation attempts targeting CVE-2026-1281, a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM). On February 9, 202 ... Read more

Published Date: Feb 11, 2026 (1 month ago)
  • Help Net Security
Ivanti EPMM exploitation: Researchers warn of “sleeper” webshells

A massive wave of exploitation attempts has followed the disclosure of CVE-2026-1281, a critical pre-authentication Ivanti EPMM vulnerability, the Shadowserver Foundation has warned. Some of it is aut ... Read more

Published Date: Feb 11, 2026 (1 month ago)
  • Daily CyberSecurity
Sleeping with the Enemy: Dormant Backdoors Found in Ivanti EPMM

A stealthy new cyber espionage campaign is targeting Ivanti Endpoint Manager Mobile (EPMM), but unlike typical ransomware gangs that smash and grab, these attackers are planting seeds and walking away ... Read more

Published Date: Feb 11, 2026 (1 month ago)
  • The Hacker News
Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

The Netherlands' Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited t ... Read more

Published Date: Feb 10, 2026 (1 month ago)
  • The Cyber Express
European Commission Hit by Mobile Infrastructure Data Breach

The European Commission’s central infrastructure for managing mobile devices was hit by a cyberattack on January 30, the Commission has revealed. The announcement said the European Commission mobile c ... Read more

Published Date: Feb 09, 2026 (1 month ago)
  • Hackread - Cybersecurity News, Data Breaches, AI and More
Cyber Attack Hits European Commission Staff Mobile Systems

Swift action by CERT-EU contained the breach within nine hours, linked to critical Ivanti software flaws (CVE-2026-1281 and CVE-2026-1340). The European Commission has confirmed that its central syste ... Read more

Published Date: Feb 09, 2026 (1 month ago)
  • CybersecurityNews
Hackers Exploiting Ivanti EPMM Devices to Deploy Dormant Backdoors

Ivanti EPMM Devices Exploited Hackers are actively exploiting Ivanti Endpoint Manager Mobile (EPMM) appliances to plant “dormant” backdoors that can sit unused for days or weeks. Ivanti recently discl ... Read more

Published Date: Feb 09, 2026 (1 month ago)
  • security.nl
NCSC: meerdere organisaties via kritiek Ivanti EPMM-lek gehackt

Aanvallers hebben meerdere organisaties via een kritieke kwetsbaarheid in Ivanti EPMM weten te hacken, zo laat het Nationaal Cyber Security Centrum (NCSC) vandaag weten. De Nederlandse overheidsinstan ... Read more

Published Date: Feb 09, 2026 (1 month ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-1281 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jan. 30, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:* versions up to (including) 12.5.0.0 *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.1.0:*:*:*:*:*:*:* *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.0.0:*:*:*:*:*:*:* *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.1.0:*:*:*:*:*:*:* *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:*
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281 Types: US Government Resource
    Added Reference Type ivanti: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 Types: Patch, Vendor Advisory
  • New CVE Received by 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

    Jan. 29, 2026

    Action Type Old Value New Value
    Added Description A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-94
    Added Reference https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jan. 29, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact