{"id":10265,"date":"2026-01-30T10:03:42","date_gmt":"2026-01-30T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/30\/critical-ivanti-endpoint-manager-0-day-rce-vulnerabilities-actively-exploited-in-attacks\/"},"modified":"2026-01-30T10:03:42","modified_gmt":"2026-01-30T10:03:42","slug":"critical-ivanti-endpoint-manager-0-day-rce-vulnerabilities-actively-exploited-in-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/30\/critical-ivanti-endpoint-manager-0-day-rce-vulnerabilities-actively-exploited-in-attacks\/","title":{"rendered":"Critical Ivanti Endpoint Manager 0-day RCE Vulnerabilities Actively Exploited in Attacks"},"content":{"rendered":"<p>    Critical Ivanti Endpoint Manager 0-day RCE Vulnerabilities Actively Exploited in Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Two critical <a href=\"https:\/\/cybersecuritynews.com\/injection-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">code-injection<\/a> vulnerabilities have been disclosed in the Endpoint Manager Mobile (EPMM) platform, which are currently being actively exploited in real-world attacks.<\/p>\n<p>The security flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to execute arbitrary code remotely on vulnerable systems.<\/p>\n<p>The vulnerabilities carry a maximum CVSS severity score of 9.8 and affect multiple versions of EPMM, including 12.5.0.0, 12.6.0.0, and 12.7.0.0.<\/p>\n<p>According to Ivanti\u2019s security advisory published on January 29, 2026, the company is aware of a limited number of customer environments that have already been compromised at the time of disclosure.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-active-exploitation-confirmed\"><strong>Active Exploitation Confirmed<\/strong><\/h2>\n<p>Both vulnerabilities stem from code-injection weaknesses (<a href=\"https:\/\/cybersecuritynews.com\/cisa-warns-cisco-unified-cm-0-day\/\" target=\"_blank\" rel=\"noreferrer noopener\">CWE-94<\/a>) that can be exploited without authentication or user interaction.<\/p>\n<p>The attack vector is network-based and low-complexity, enabling threat actors to compromise vulnerable <a href=\"https:\/\/cybersecuritynews.com\/ivanti-epmm-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">EPMM<\/a> instances remotely with minimal effort.<\/p>\n<p>Successful exploitation grants attackers complete control over the confidentiality, integrity, and availability of affected systems.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">CVE Number<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">CVSS Score<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">CVSS Vector<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">CWE<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-1281<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Code injection enabling <a href=\"https:\/\/cybersecuritynews.com\/solarwinds-web-help-desk-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">unauthenticated<\/a> RCE<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">9.8 (Critical)<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">CWE-94<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-1340<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Code injection enabling unauthenticated RCE<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">9.8 (Critical)<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">CWE-94<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Ivanti has released version-specific <a href=\"https:\/\/cybersecuritynews.com\/best-network-security-providers-for-ecommerce\/\" target=\"_blank\" rel=\"noreferrer noopener\">RPM patches<\/a> to address the security flaws. At the same time, customers await the permanent fix scheduled for version 12.8.0.0 in Q1 2026.<\/p>\n<p>The temporary patches require no system downtime and do not impact feature functionality. However, administrators must reapply the RPM script after version upgrades.<\/p>\n<p>Organizations running EPMM should immediately apply the <a href=\"https:\/\/cybersecuritynews.com\/microsoft-family-safety-blocks-chrome\/\" target=\"_blank\" rel=\"noreferrer noopener\">version-specific <\/a>RPM patches available through Ivanti\u2019s support portal.<\/p>\n<p>Customers using versions 12.5.0.x through 12.7.0.x require RPM 12.x.0.x, while those on 12.5.1.0 or 12.6.1.0 should deploy RPM 12.x.1.x.<\/p>\n<p>The company emphasizes that only one patch is needed based on the deployed version.<\/p>\n<p>Ivanti <a href=\"https:\/\/forums.ivanti.com\/s\/article\/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">recommends <\/a>security-conscious organizations consider rebuilding EPMM environments and migrating data to replacement systems as the most conservative remediation approach.<\/p>\n<p>The company has provided technical analysis documentation with forensic guidance, though reliable indicators of compromise remain unavailable as investigations continue.<\/p>\n<p>Notably, other Ivanti products including Endpoint Manager (EPM), Neurons for MDM, and Sentry appliances are not affected by these vulnerabilities.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/ivanti-endpoint-manager-vulnerability\/\">Critical Ivanti Endpoint Manager 0-day RCE Vulnerabilities Actively Exploited in Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/ivanti-endpoint-manager-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical Ivanti Endpoint Manager 0-day RCE Vulnerabilities Actively Exploited in Attacks Two critical code-injection vulnerabilities have been disclosed in the Endpoint Manager Mobile (EPMM) platform, which are currently being actively exploited in real-world attacks. The security flaws, tracked as CVE-2026-1281 and CVE-2026-1340, allow unauthenticated attackers to execute arbitrary code remotely on vulnerable systems. The vulnerabilities [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-10265","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10265"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10265"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10265\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}