Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN099
_____________________________________________________________________

DATE                : 30/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ivanti Endpoint Manager Mobile 
                      versions prior to RPM 12.x.0.x, RPM 12.x.1.x.

=====================================================================
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
_____________________________________________________________________

Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 
& CVE-2026-1340)


Primary Product

Created Date
29 Jan 2026 18:38:15

Last Modified Date
29 Jan 2026 23:06:51
Update: 29 Jan: Step by Step RPM Install KB included


Summary 

Ivanti has released updates for Endpoint Manager Mobile (EPMM) which 
addresses two critical severity vulnerabilities. Successful 
exploitation could lead to unauthenticated remote code execution. 

We are aware of a very limited number of customers whose solution has 
been exploited at the time of disclosure. 

This vulnerability does not impact any other Ivanti products, 
including any cloud products, such as Ivanti Neurons for MDM. Ivanti 
Endpoint Manager (EPM) is a different product and also not impacted by 
these vulnerabilities. Customers using an Ivanti cloud product with 
Sentry are also not impacted by this vulnerability.  


Vulnerability Details: 
 

 

CVE Number      Description    CVSS Score (Severity)    CVSS Vector 
CWE 

CVE-2026-1281   
A code injection in Ivanti Endpoint Manager Mobile allowing attackers 
to achieve unauthenticated remote code execution. 
9.8 (Critical) 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
CWE-94 

CVE-2026-1340 
A code injection in Ivanti Endpoint Manager Mobile allowing attackers 
to achieve unauthenticated remote code execution. 
9.8 (Critical) 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
CWE-94 

 
Affected Versions 

Product Name    Affected Version(s)    Affected CPE(s)    
Resolved Version(s)     Patch Availability 

Ivanti Endpoint Manager Mobile     
	
12.5.0.0 and prior 
12.6.0.0 and prior 
12.7.0.0 and prior 

cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:* 

RPM 12.x.0.x 

https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-
1761642-1.0.0S-5.noarch.rpm 

 

Ivanti Endpoint Manager Mobile 
	
12.5.1.0 and prior 
12.6.1.0 and prior

cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.1.0:*:*:*:*:*:*:* 
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.6.1.0:*:*:*:*:*:*:*  

RPM 12.x.1.x

https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-
1761642-1.0.0L-5.noarch.rpm 
 

Customers should apply either RPM 12.x.0.x or RPM 12.x.1.x, depending 
on their version. Customers do not need to apply both RPMs as they are 
version specific, not vulnerability specific. 

No downtime is required to apply this patch, and we are not aware of 
any feature functionality impact with this patch.  

RPM_12.x.0.x Applicable versions: 12.5.0.x, 12.6.0.x and 12.7.0.x

 - Compatible Versions: 12.3.0.x and 12.4.0.x 

RPM_12.x.1.x Applicable Versions: 12.5.1.0 and 12.6.1.0 

Important: the RPM script does not survive a version upgrade. If after 
applying the RPM script to your appliance, you upgrade to a new 
version you will need to reinstall the RPM. The permanent fix for this 
vulnerability will be included in the next product release: 12.8.0.0. 

Customers need to prefix the support.mobileiron.com credentials while 
using the install rpm command.  

Below you can find the Syntax to run the patch: 

    install rpm url 
https://username:password@support.mobileiron.com/mi/vsp/AB1771634/i
vanti-security-update-1761642-1.0.0S-5.noarch.rpm

OR  

    install rpm url 
https://username:password@support.mobileiron.com/mi/vsp/AB1771634/i
vanti-security-update-1761642-1.0.0L-5.noarch.rpm  

The username and password are the customers software download 
credentials. For more detailed instructions, please leverage the 
following steps.

We strongly encourage all EPMM customers to adopt version 12.8.0.0 
once it has been released later in Q1 2026. Once you have upgraded to 
12.8.0.0, you will not need to reapply the RPM script. 

We are providing Technical Analysis that includes affected endpoint 
specifics and log analysis guidance which can be found HERE to support 
investigation and forensics.  

Customers should determine their own risk appetite when securing their 
environment. The most conservative approach, regardless of 
exploitation, would be to build a replacement EPMM and then migrate 
data to the device. You can find instructions on how to do this HERE. 
This does not require re-enrollment of devices. 

 

Note: Ivanti is dedicated to ensuring the security and integrity of 
our enterprise software products. We recognize the vital role that 
security researchers, ethical hackers, and the broader security 
community play in identifying and reporting vulnerabilities. Visit 
HERE to learn more about our Vulnerability Disclosure Policy. 


FAQ 

1.   Are you aware of any active exploitation of these vulnerabilities?
We are aware of a very limited number of customers who have been 
exploited at the time of disclosure. 

2.  How can I tell if I have been compromised? 

The investigation is ongoing and Ivanti does not have reliable atomic 
indicators at this time. We are providing a Technical Analysis for 
defenders HERE.  

3.  Is Sentry vulnerable? 

No, Sentry does not contain this vulnerability, however you should 
always review the security of the Sentry appliance at the same time as 
EPMM due to the dependency it has on the EPMM appliance and 
configuration. 

Customers who use Sentry with a cloud product are not impacted by this 
vulnerability.  

4.  Is Ivanti Neurons for MDM vulnerable?

No. Ivanti Neurons does not contain this vulnerability. Ivanti cloud 
solutions are not impacted by this vulnerability. 

5.  What actions have Ivanti taken in response to this discovery? 

In addition to rapidly and proactively providing a patch, Ivanti has 
mobilized additional resources and support teams to assist customers 
and is actively collaborating with security partners, the broader 
security community and law enforcement.  

6.  Will HA sync apply the RPM patch to our secondary core if a 
secondary core is being used? 

No, the RPM patch needs to be applied to each core separately. HA Sync 
will not apply the patch to any secondary cores automatically. 

7.  Do I need to apply both RPM patches? 

No. The RPM patches are version specific, not vulnerability specific. 
You only need to apply the RPM patch that corresponds with your 
version. 

8.  How do I validate if the RPM was applied successfully? 

When the RPM is installed, there will be a response line indicating 
success. An error of any kind will be generated if there’s an issue 
with the application. 

9.  What should I do if I need help?  

If you have questions after reviewing this information, you can log a 
case and/or request a call via the Success Portal . 


Article Number :
000104594
Article Promotion Level
Normal



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================