Two security vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks have been fixed by Ivanti through security updates This article explores vulnerabilities cve 2026. . The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added one of these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The following is a list of critical-severity vulnerabilities: CVE-2026-1281 (CVSS score: 9.8) is a code injection that enables unauthenticated remote code execution. CVSS score: 9.8 for CVE-2026-1340 - A code injection allowing attackers to achieve unauthenticated remote code execution EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, 12.7.0.0 and earlier (fixed in RPM 12.x.0.x), and EPMM 12.5.1.0 and earlier, 12.6.1.0 and earlier (fixed in RPM 12.x.1.x) are all impacted. It should be noted, though, that if the appliance is upgraded to a new version, the RPM patch must be reapplied because it does not withstand version upgrades. EPMM version 12.8.0.0, which will be released later in Q1 2026, will permanently fix the vulnerabilities. In an advisory, Ivanti stated, "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," adding that it lacks sufficient knowledge of the threat actor tactics to offer validated, trustworthy atomic indicators." The company noted that CVE-2026-1281 and CVE-2026-1340 affect the In-House Application Distribution and the Android File Transfer Configuration features. Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), and Ivanti Sentry are not impacted by these flaws. Ivanti stated in a technical analysis that it has generally observed two types of persistence based on earlier attacks aimed at older EPMM vulnerabilities. In order to establish persistence on the compromised appliances, web shells and reverse shells must be deployed. "Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance," Ivanti said. "Aside from lateral movement to the connected environment, EPMM also contains sensitive information about devices managed by the appliance." The following regular expression (regex) pattern can be used to search for indications of attempted or successful exploitation: "Legitimate use of these capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes." Customers are also requested to check the following for any indication of unauthorized configuration changes: EPMM administrators for newly appointed or recently appointed administrators Configuring authentication, including LDAP and SSO settings New mobile push apps Modifications to the configuration of apps you push to devices, including internal apps New or recently changed regulations Changes to the network configuration, including any VPN or network configurations you push to mobile devices Ivanti is also advising users to either build a replacement EPMM and then migrate data to it or restore the EPMM device from a known good backup if indications of compromise are found. After completing the steps, it's crucial to make the following adjustments to secure the environment: Reset any local EPMM account passwords. Change the password for the lookup-performing LDAP and/or KDC service accounts. Your EPMM's public certificate should be revoked and replaced. Any additional internal or external service accounts set up with the EPMM solution should have their passwords reset. Due to the development, CISA added CVE-2026-1281 to the KEV catalog. Federal Civilian Executive Branch (FCEB) agencies must implement the updates by February 1, 2026.