Critical code injection vulnerability in Ivanti Endpoint Manager Mobile allowing unauthenticated remote code execution via network exploitation. This vulnerability is actively being exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities catalog.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-01-29
Added to CISA KEV: 2026-04-08 69 DAYS BETWEEN CVE AND KEV
CVE-2026-1281 and CVE-2026-1340 are actively exploited RCE flaws in Ivanti EPMM. Verify exposure and confirm remediation with NodeZero Rapid Response.Technical Details. The vulnerabilities stem from improper handling and validation of HTTP requests within Ivanti Endpoint Manager Mobile. Specially crafted requests can trigger remote code execution without authentication. Attack characteristics
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-1340
CVE-2026-1281 and CVE-2026-1340 are critical vulnerabilities that enable unauthenticated remote code execution over the network. Any exposed ...
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
We discuss widespread exploitation of Ivanti EPMM zero-day vulns CVE-2026-1281 and CVE-2026-1340. Attackers are deploying web shells and backdoors.