Overview
- Ivanti disclosed CVE‑2026‑1281 and CVE‑2026‑1340 as critical code‑injection bugs enabling unauthenticated remote code execution in on‑prem EPMM.
- Temporary RPM hotfixes are available per version line with no downtime, must be reapplied after upgrades, and a permanent fix is slated for EPMM 12.8.0.0 in Q1 2026.
- CISA added CVE‑2026‑1281 to the Known Exploited Vulnerabilities catalog and directed federal civilian agencies to apply mitigations by early February.
- Ivanti reports a very limited number of confirmed compromises, while some security firms warn the real‑world impact appears broader and urge assume‑breach responses for internet‑exposed systems.
- Successful exploitation can expose administrator, user, and device data and allow configuration changes, and Ivanti’s guidance includes Apache log regex checks, vigilance for web or reverse shells, and restoring or rebuilding appliances if compromise is suspected.