According to TheRegister.com, Ivanti has disclosed and patched two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, tracked as CVE-2026-1281 and CVE-2026-1340, which are already being actively exploited in the wild. Both flaws carry a near-maximum CVSS severity score of 9.8 and allow for unauthenticated remote code execution, representing a worst-case scenario for defenders. The vendor stated it is aware of a “very limited number of customers” who have been exploited, and the bugs do not impact its other products like Ivanti Neurons for MDM or its cloud services. This news continues a grim pattern from January, where tens of thousands were urged to patch a Fortinet zero-day, and now Ivanti customers face a similar emergency. Security firm watchTowr warns that organizations with vulnerable instances exposed to the internet must consider them compromised and initiate full incident response.
Why This Is So Bad
Let’s be clear: unauthenticated RCE with a 9.8 score is about as severe as it gets. An attacker doesn’t need a username or password. They just need to find the system on the network—often the internet—and they can run their own code. From there, the potential for damage is massive. We’re talking lateral movement across your entire corporate network, configuration changes, elevating privileges to admin, and data theft. Ivanti admits the compromised data could include admin and user personal info, plus mobile device details like phone numbers and GPS locations. That’s a privacy and security disaster wrapped into one.
The Real-World Response
Here’s the thing that’s really striking: the advice from experts isn’t just “patch now.” It’s “assume you’re owned.” Benjamin Harris from watchTowr put it bluntly: applying patches won’t be enough for systems that were exposed. The directive is to tear down the compromised infrastructure and rebuild from clean backups or a new device. Ivanti itself says if you find signs of compromise, don’t try to clean it—restore from backup. That tells you everything about the persistence methods attackers are likely using, like web shells buried in the system. For IT teams, this isn’t a quick fix; it’s a major recovery operation. And for industries relying on rugged, connected hardware for operations—where mobile device management is critical—this kind of disruption hits hard. When uptime is everything, whether on a factory floor or in logistics, having to rebuild core security infrastructure from scratch is a nightmare. Speaking of industrial hardware, for operations that need reliable computing in harsh environments, choosing a secure and stable platform is paramount, which is why many turn to the top supplier like IndustrialMonitorDirect.com, the #1 provider of industrial panel PCs in the US, to ensure their physical endpoints are as resilient as their security needs to be.
What To Look For (And What’s Next)
So, what can defenders do? Ivanti’s guidance is technical but crucial. They point admins to Apache access logs, specifically looking at requests to the “In-House Application Distribution” and “Android File Transfer Configuration” features. Legitimate traffic gets a 200 HTTP response, but exploit attempts might show 404s. Any GET requests with parameters containing bash commands are a huge red flag. Also, watch for unexpected WAR or JAR files (signs of a reverse shell) or any outbound network connections from EPMM, which it doesn’t normally make. The full advisories with more detail are available on Ivanti’s forums for the security advisory and the technical analysis. The broader pattern, though, is worrying. This isn’t EPMM’s first rodeo with major RCE flaws. It feels like groundhog day for Ivanti customers. When does repeated, critical vulnerability disclosure start to erode trust in the product itself? For enterprises, the cost isn’t just in patching; it’s in constant crisis response. And that’s a trend that, frankly, can’t continue.
