On January 29, 2026, Ivanti released fixes for two critical zero-day code injection vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, impact the In-House Application Distribution and Android File Transfer Configuration features and allow unauthenticated remote threat actors to achieve remote code execution. Ivanti has stated that they have observed exploitation of these vulnerabilities in customer environments but have not disclosed further details.
At the time of writing, Arctic Wolf has not identified a publicly available proof-of-concept (PoC) exploit. However, these vulnerabilities are likely to be further targeted by threat actors, as successful exploitation can enable deployment of web shells or reverse shells to establish persistence on compromised appliances. Historically, similar EPMM vulnerabilities have been exploited in this manner, and Ivanti products have been frequent targets in recent years, as reflected in CISA’s Known Exploited Vulnerabilities catalog.
Recommendation for CVE-2026-1281 and CVE-2026-1340
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Ivanti Endpoint Manager Mobile (EPMM) |
|
RPM 12.x.0.x |
|
RPM 12.x.1.x |
Ivanti has stated that these vulnerabilities do not impact any other Ivanti products, including any cloud products, such as Ivanti Neurons for MDM. Ivanti Endpoint Manager (EPM) is a different product and not impacted by these vulnerabilities. Customers using an Ivanti cloud product with Sentry are also not impacted.
Note: If you upgrade your appliance after applying the RPM script, you will need to reinstall the RPM. A permanent fix for this vulnerability will be included in the next product release (12.8.0.0).
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
