2026-01-29 — Ivanti Endpoint Manager Mobile (EPMM) unauth RCE (CVE-2026-1281)¶

Signal: Added to CISA KEV on 2026-01-29.

Impact (per CISA): Code injection that may allow unauthenticated remote code execution.

Vendor/Product: Ivanti Endpoint Manager Mobile (EPMM) (MobileIron lineage).

Why this matters¶

Unauthenticated RCE on an enterprise management plane (MDM/UEM) is a high-leverage compromise path:

• Central admin privileges, device fleet control, identity integrations
• Often internet-exposed for device enrollment / management

If you run EPMM, assume active exploitation is possible until you prove otherwise.

Triage (15–30 minutes)¶

1. Confirm presence

2. Inventory EPMM instances (prod, staging, DR) and management endpoints.

3. Confirm exposure

4. Identify whether admin / API / enrollment endpoints are reachable from the internet.

5. If exposed, treat as priority 0.

6. Collect evidence before changes (if feasible)

7. Snapshot VM / take backup.
8. Export / preserve relevant logs (web/app/auth) and reverse proxy logs.

Mitigation (do now)¶

1. Apply Ivanti’s remediation

2. Follow Ivanti’s security advisory and apply the referenced updates/mitigations.

3. Reduce exposure (even after patching)

4. Restrict management interfaces to VPN / allowlists.

5. Put EPMM behind a reverse proxy/WAF with strict access controls.

6. Credential hygiene

7. Rotate admin credentials and any service accounts integrated with EPMM.
8. Rotate keys/tokens used for downstream integrations (IdP, SMTP, API tokens).

Hunt / Detection ideas¶

Because the issue is described as code injection, focus on:

• Unusual requests to EPMM API endpoints (especially from new IPs / odd user agents)
• Spikes in 4xx/5xx around the time of exploitation attempts
• Unexpected process launches / child processes on the EPMM host
• New admin users, role changes, or unexpected configuration changes
• Unexpected outbound connections from the EPMM host

If you suspect compromise:

• Isolate the host (network containment) while preserving disk/memory evidence
• Validate integrity of the application and underlying OS
• Review changes to:
• admin accounts
• enrollment / SSO configuration
• device policies
• outbound connectors

References¶

• CISA KEV feed entry (includes vendor links):
• https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• Ivanti advisory referenced by CISA:
• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
• Ivanti support RPMs referenced by CISA:
• https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm
• https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm