"Tracked as CVE-2026-1281 and CVE-2026-1340, both bugs affect Ivanti Endpoint Manager Mobile (EPMM). They're also both rated a near-maximum CVSS score of 9.8 and allow for unauthenticated remote code execution (RCE) - about as bad as it gets. The security shop said in its advisory: "We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure."
"These kinds of RCE bugs can lead to all sorts of nastiness. Lateral movement across a given organization's network, config changes, and attackers making themselves admin are all possible. The vendor warned that it could grant access to certain data too. Ivanti said that the types of information available could include basic personal information about the EPMM admin and device user, as well as information about mobile devices such as phone numbers and GPS locations."
Ivanti released patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340. Both flaws carry a near-maximum CVSS score of 9.8 and permit unauthenticated remote code execution. A very limited number of customers had EPMM exploited at the time of disclosure. The vulnerabilities do not impact other Ivanti products, including Ivanti Neurons for MDM or Ivanti Endpoint Manager (EPM), and cloud products with Sentry are unaffected. Exploitation can enable lateral movement, configuration changes, admin privilege escalation, and access to personal and device data. No reliable IOCs are available; technical analysis guidance exists.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]