Ivanti patches two 9.8 bugs in Endpoint Manager Mobile

Ivanti on Jan. 29 released patches for Endpoint Manager Mobile (EPMM) that addresses two critical vulnerabilities that could lead to unauthenticated remote code executions (RCEs).

In its advisory, Ivanti posted that it was aware of a “very limited number of customers” whose solution has been exploited at the time of disclosure.

Ivanti said the bugs do not impact any of its other products, including cloud products like Ivanti Neurons for MDM. The vendor added that Ivanti Endpoint Manager (EPM) is a different product and also not impacted by these vulnerabilities. Customers using an Ivanti cloud product with Sentry are also not impacted by this vulnerability.

"For a while, Ivanti was dominating the security news cycle with its Connect Secure VPN vulnerabilities,” said Denis Calderone, co-founder and COO of Suzu Labs. “Multiple entries in CISA's Known Exploited Vulnerabilities catalog, mass exploitation campaigns, it was relentless. Then things went quiet. Now it looks like there's a new target: Endpoint Manager Mobile.”

Calderone said CVE-2026-1281 and CVE-2026-1340 are unauthenticated RCEs with CVSS scores of 9.8 and have already been exploited.

Related reading:

“Same pattern, different product,” said Calderone. “This is a big deal, and affected organizations should address this now if exposed. The danger with EPMM is scope. This is mobile device management, which means a successful compromise gives attackers the ability to push malicious configurations or apps to every managed corporate device in your fleet. One vulnerability that potentially threatens every executive's phone and tablet. This is truly an enterprisewide concern for those exposed.”

Andi Ursry, threat intelligence analyst at Blackpoint Cyber, added that these vulnerabilities present a significant risk because compromise of EPMM can give attackers administrative-level control over large portions of a mobile environment. Ursry said that kind of access can provide device takeover, policy manipulation, credential access, and visibility into sensitive enterprise data at scale, turning a single foothold into broad operational control.

“Repeated targeting of edge and management platforms like this reinforces that attackers are going after high-leverage access points,” said Ursry. “Security teams should treat these systems as prioritized systems and focus on patching as well as validating administrative activity, rotating credentials, and hardening exposed interfaces.” 

Randolph Barr, chief information security officer at Cequence Security, said the risk becomes serious when an attacker gains access to the EPMM server and then abuses its trusted role. At that point, Barr said they could push configuration changes, alter authentication settings, or manipulate device certificates.

“This isn’t a mobile malware problem so much as a trust and management-plane issue,” said Barr. “The other important point is that EPMM is typically deployed on-prem or in customer-managed private cloud environments. That actually gives security teams more control than many SaaS platforms. With the right architecture and access controls, organizations can materially reduce their exposure and limit blast radius.

Barr added that from a practical standpoint, the immediate priorities are patching quickly, reducing internet exposure to admin interfaces and APIs, enforcing strong admin authentication and least-privilege access, and closely monitoring for changes to policies, certificates, and admin activity. Bar said teams should also validate that no unauthorized configuration profiles or authentication changes were pushed to devices.