1. Home
  2. Vulnerabilities
  3. CVE-2026-1281
Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2026-1281
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability - [Actively Exploited]
Description

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

INFO

Published Date :

Jan. 29, 2026, 10:15 p.m.

Last Modified :

Jan. 30, 2026, 1:28 p.m.

Remotely Exploit :

Yes !

Source :

3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please: see: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm ; https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm ; https://nvd.nist.gov/vuln/detail/CVE-2026-1281

Affected Products

The following products are affected by CVE-2026-1281 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Ivanti endpoint_manager_mobile
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CVSS 3.1 CRITICAL MITRE-CVE
Solution
Apply vendor patches for Ivanti Endpoint Manager Mobile to fix remote code execution.
  • Update Ivanti Endpoint Manager Mobile to the latest version.
  • Apply all vendor-released security patches.
  • Review Ivanti's security advisories for specific instructions.
Public PoC/Exploit Available at Github

CVE-2026-1281 has a 5 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-1281.

URL Resource
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 Patch Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-1281 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-1281 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
YunfeiGE18/CVE-2026-1281-CVE-2026-1340-Ivanti-EPMM-RCE

A simple demo application that shows how to reproduce the Ivanti EPMM pre-auth RCE vulnerability (CVE-2026-1281 / CVE-2026-1340) for educational and security research purposes.

Dockerfile Shell

Updated: 12 hours, 36 minutes ago
1 stars 0 fork 0 watcher
Born at : Feb. 19, 2026, 9:29 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
eminentv/cve

cve

Dockerfile Rust

Updated: 3 days, 14 hours ago
0 stars 0 fork 0 watcher
Born at : Feb. 16, 2026, 7:39 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE

Proof of Concept for CVE-2026-1281 & CVE-2026-1340 - Ivanti EPMM Pre-Auth RCE via Bash Arithmetic Expansion

Shell Python

Updated: 1 week, 5 days ago
1 stars 0 fork 0 watcher
Born at : Feb. 7, 2026, 11:28 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
lucacapacci/PoC-in-GitHub

Mirror of https://github.com/nomi-sec/PoC-in-GitHub

Updated: 1 week, 4 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 7, 2026, 10:02 a.m. This repo has been linked 789 different CVEs too.
Profile Photo
Ashwesker/Ashwesker-CVE-2026-1281

CVE-2026-1281

Python

Updated: 2 weeks, 4 days ago
2 stars 0 fork 0 watcher
Born at : Feb. 1, 2026, 9:57 a.m. This repo has been linked 2 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-1281 vulnerability anywhere in the article.

  • CybersecurityNews
Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in The Wild Targeting Corporate Networks

Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have emerged as a major threat to enterprise networks, with active exploitation campaigns targeting corporate infrastruct ... Read more

Published Date: Feb 18, 2026 (1 day, 15 hours ago)
  • security.nl
'Kritieke Ivanti-kwetsbaarheid sinds zomer vorig jaar misbruikt bij aanvallen'

De Duitse overheid beschikt over technische informatie dat een kritieke kwetsbaarheid in Ivanti EPMM sinds de zomer van vorig jaar is misbruikt bij aanvallen. Op 29 januari dit jaar kwam Ivanti met be ... Read more

Published Date: Feb 18, 2026 (1 day, 18 hours ago)
  • The Cyber Express
Attackers Deploy Dormant Backdoors in Ivanti EPMM to Bypass Patching of Latest 0-Days

Threat actors weaponized two Ivanti zero-days so quickly that security teams discovered web shells already installed on servers—using arithmetic expansion in bash scripts to slip past authentication e ... Read more

Published Date: Feb 18, 2026 (2 days, 2 hours ago)
  • Daily CyberSecurity
“Dormant” Backdoors: Ivanti EPMM Zero-Days Exploited to Plant Long-Term Spies

Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are currently being exploited in a widespread campaign to compromise enterprise networks across the globe. A new report f ... Read more

Published Date: Feb 18, 2026 (2 days, 10 hours ago)
  • CybersecurityNews
Single IP Dominates Exploitation Campaign Attacking Ivanti EPMM with RCE Vulnerability

Single IP Dominates Ivanti EPMM with RCE Vulnerability A critical remote code execution (RCE) flaw in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281, is being heavily exploited. GreyN ... Read more

Published Date: Feb 16, 2026 (3 days, 18 hours ago)
  • Help Net Security
Week in review: Exploited newly patched BeyondTrust RCE, United Airlines CISO on building resilience

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: United Airlines CISO on building resilience when disruption is inevitable In this Help Net Security in ... Read more

Published Date: Feb 15, 2026 (5 days, 1 hour ago)
  • security.nl
NCSC publiceert verbeterd script voor detectie van gehackte Ivanti-servers

Het Nationaal Cyber Security Centrum (NCSC) heeft in samenwerking met Ivanti een verbeterd script gepubliceerd om gehackte Ivanti Endpoint Manager Mobile (EPMM) servers te detecteren en roept Nederlan ... Read more

Published Date: Feb 13, 2026 (1 week ago)
  • The Hacker News
83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting inf ... Read more

Published Date: Feb 12, 2026 (1 week, 1 day ago)
  • CybersecurityNews
Massive Spike in Attacks Exploiting Ivanti EPMM Systems 0-day Vulnerability

Ivanti EPMM 0-day Vulnerability Exploited An unprecedented surge in exploitation attempts targeting CVE-2026-1281, a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM). On February 9, 202 ... Read more

Published Date: Feb 11, 2026 (1 week, 1 day ago)
  • Help Net Security
Ivanti EPMM exploitation: Researchers warn of “sleeper” webshells

A massive wave of exploitation attempts has followed the disclosure of CVE-2026-1281, a critical pre-authentication Ivanti EPMM vulnerability, the Shadowserver Foundation has warned. Some of it is aut ... Read more

Published Date: Feb 11, 2026 (1 week, 1 day ago)
  • Daily CyberSecurity
Sleeping with the Enemy: Dormant Backdoors Found in Ivanti EPMM

A stealthy new cyber espionage campaign is targeting Ivanti Endpoint Manager Mobile (EPMM), but unlike typical ransomware gangs that smash and grab, these attackers are planting seeds and walking away ... Read more

Published Date: Feb 11, 2026 (1 week, 2 days ago)
  • The Hacker News
Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

The Netherlands' Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited t ... Read more

Published Date: Feb 10, 2026 (1 week, 3 days ago)
  • The Cyber Express
European Commission Hit by Mobile Infrastructure Data Breach

The European Commission’s central infrastructure for managing mobile devices was hit by a cyberattack on January 30, the Commission has revealed. The announcement said the European Commission mobile c ... Read more

Published Date: Feb 09, 2026 (1 week, 3 days ago)
  • Hackread - Cybersecurity News, Data Breaches, AI and More
Cyber Attack Hits European Commission Staff Mobile Systems

Swift action by CERT-EU contained the breach within nine hours, linked to critical Ivanti software flaws (CVE-2026-1281 and CVE-2026-1340). The European Commission has confirmed that its central syste ... Read more

Published Date: Feb 09, 2026 (1 week, 3 days ago)
  • CybersecurityNews
Hackers Exploiting Ivanti EPMM Devices to Deploy Dormant Backdoors

Ivanti EPMM Devices Exploited Hackers are actively exploiting Ivanti Endpoint Manager Mobile (EPMM) appliances to plant “dormant” backdoors that can sit unused for days or weeks. Ivanti recently discl ... Read more

Published Date: Feb 09, 2026 (1 week, 3 days ago)
  • security.nl
NCSC: meerdere organisaties via kritiek Ivanti EPMM-lek gehackt

Aanvallers hebben meerdere organisaties via een kritieke kwetsbaarheid in Ivanti EPMM weten te hacken, zo laat het Nationaal Cyber Security Centrum (NCSC) vandaag weten. De Nederlandse overheidsinstan ... Read more

Published Date: Feb 09, 2026 (1 week, 3 days ago)
  • The Register
Dutch data watchdog snitches on itself after getting caught in Ivanti zero-day attacks

The Dutch Data Protection Authority (AP) says it was one of the many organizations popped when attackers raced to exploit recent Ivanti vulnerabilities as zero-days. Justice secretary Arno Rutte and s ... Read more

Published Date: Feb 09, 2026 (1 week, 3 days ago)
  • Help Net Security
European Commission hit by cyberattackers targeting mobile management platform

The European Commission’s mobile device management platform was hacked but the incident was swiftly contained and no compromise of mobile devices was detected, EU’s executive branch announced on Frida ... Read more

Published Date: Feb 09, 2026 (1 week, 3 days ago)
  • security.nl
Europese Commissie meldt mogelijk datalek na inbraak op beheersysteem

Aanvallers hebben ingebroken op een systeem dat de Europese Commissie gebruikt voor het beheer van mobiele apparaten van medewerkers, en daarbij is mogelijk ook informatie van personeel buitgemaakt, z ... Read more

Published Date: Feb 09, 2026 (1 week, 3 days ago)
  • security.nl
Autoriteit Persoonsgegevens en Raad voor de rechtspraak gehackt via Ivanti-lek

Aanvallers zijn erin geslaagd de Ivanti EPMM-server van de Autoriteit Persoonsgegevens (AP) en Raad voor de rechtspraak te hacken. In het geval van de AP hebben de aanvallers toegang gekregen tot werk ... Read more

Published Date: Feb 06, 2026 (1 week, 6 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-1281 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jan. 30, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:* versions up to (including) 12.5.0.0 *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.1.0:*:*:*:*:*:*:* *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.0.0:*:*:*:*:*:*:* *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.1.0:*:*:*:*:*:*:* *cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:*
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281 Types: US Government Resource
    Added Reference Type ivanti: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 Types: Patch, Vendor Advisory
  • New CVE Received by 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

    Jan. 29, 2026

    Action Type Old Value New Value
    Added Description A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-94
    Added Reference https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jan. 29, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact