Twitter
LinkedIn
Facebook
Reddit
Email
Share
by Research Special Operations on January 30, 2026
Two Critical vulnerabilities in Ivanti’s popular mobile device management solution have been exploited in the wild in limited attacks
Background
On January 29, Ivanti released a security advisory to address two critical severity remote code execution (RCE) vulnerabilities in its Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, a mobile management software used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).
CVE Description CVSSv3
CVE-2026-1281 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8
CVE-2026-1340 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8
Analysis
CVE-2026-1281 and CVE-2026-1340 are both code injection vulnerabilities in Ivanti’s EPMM. An unauthenticated attacker could exploit these vulnerabilities to gain remote code execution.
Limited exploitation observed
According to Ivanti, both CVE-2026-1281 and CVE-2026-1340 were exploited as zero-days affecting “a very limited number of customers.” Because its investigation is ongoing, Ivanti has not yet provided any indicators of compromise in relation to these attacks.
Historical exploitation of Ivanti Endpoint Mobile Manager
Ivanti products in general are a popular target for a variety of attackers. EPMM in particular has been targeted in the past, and the Tenable Research Special Operations (RSO) team has authored several blogs about these vulnerabilities. The following table outlines some of the notable EPMM vulnerabilities over the last six years:
CVE Description Published Tenable Blogs
CVE-2025-4428 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability May 2025 CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution
CVE-2025-4427 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability May 2025 CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution
CVE-2023-35082 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability August 2025 N/A
CVE-2023-35081 Ivanti Endpoint Manager Mobile Remote Arbitrary File Write Vulnerability July 2025 CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability
CVE-2023-35078 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability July 2025 CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability
CVE-2020-15505 MobileIron Core & Connector Remote Code Execution Vulnerability October 2020 CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
Proof of concept
At the time this blog was published on January 30, a public proof-of-concept (PoC) exploit was publicly available. We expect attackers will begin to leverage this PoC to conduct mass scanning and exploitation attempts against vulnerable devices.
Solution
Ivanti has released temporary updates that can be applied to address these vulnerabilities. According to the advisory, the RPMs supplied should be applied based on the installed version of EPMM. The RPMs will not survive a version upgrade, so if the version is updated, the RPM would need to be applied once again. However, the advisory further notes that an upcoming release, version 12.8.0.0, is expected to be released in Q1 2026., T and this version will include the permanent fix for these CVEs. Once version 12.8.0.0 is released and applied, the RPM scripts will no longer need to be applied.
Affected Version RPM Patch Version
12.5.0.0 and prior RPM 12.x.0.x
12.5.1.0 and prior RPM 12.x.1.x
12.6.0.0 and prior RPM 12.x.0.x
12.6.1.0 and prior RPM 12.x.1.x
12.7.0.0 and prior RPM 12.x.0.x
For more information on the patches, we strongly recommend reviewing the guidance in the security advisory from Ivanti.
Identifying affected systems
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-1281 and CVE-2026-1340 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Ivanti devices by using the following subscription:
Get more information
Join on Tenable Connect and engage with us in the for further discussions on the latest cyber threats.
Learn more about , the Exposure Management Platform for the modern attack surface.
Twitter
LinkedIn
Facebook
Reddit
Email
Share
January 30, 2026