Alert! Ivanti warns of exploitation of Endpoint Manager Mobile zero-days

“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.”

However, according to watchTowr CEO Benjamin Harris, that “very limited number” may be far higher.

“Across the watchTowr client base, we are seeing impact across a wide range of high-value industries and targets,” Harris told Cyber Daily.

“This is not a drill, and is unfortunately the January drama we all entirely expected.”

The basics

Both CVE-2026-1281 and CVE-2026-1340 are code injection vulnerabilities that could allow a malicious attacker to execute unauthenticated code remotely. Both have a CVSS score of 9.8.

VIEW ALL

Harris said both vulnerabilities represented “the worst of the worst, with threat actors actively compromising systems and deploying backdoors”.

“While patches are available from Ivanti, applying patches will not be enough,” Harris said.

“Threat actors have been exploiting these vulnerabilities as zero-days, and organisations that are, as of disclosure, exposing vulnerable instances to the Internet must consider them compromised, tear down infrastructure and instigate incident response processes.”

The following product versions are impacted:

Ivanti Endpoint Manager Mobile, versions 12.5.0.0 and prior; 12.6.0.0 and prior; 12.7.0.0 and prior

Ivanti Endpoint Manager Mobile, versions 12.5.1.0 and prior; 12.6.1.0 and prior

“Customers should apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version. Customers do not need to apply both RPMs as they are version specific, not vulnerability specific,” Ivanti said.

“No downtime is required to apply this patch, and we are not aware of any feature functionality impact with this patch.”

You can learn more about this pair of vulnerabilities here.