Two critical code injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — are being exploited in the wild and can enable unauthenticated remote code execution on exposed appliances. (NVD)
TL;DR
- If your EPMM is internet-facing, treat this as high-priority incident response, not a routine patch. (NHS England Digital)
- CVE-2026-1281 is in CISA’s KEV with a very short remediation deadline — a strong operational risk signal. (NVD)
- Public reporting points to mass scanning/exploitation post-disclosure and 1,400+ instances still exposed. (CyberScoop)
- Patch using Ivanti’s temporary RPM and run a compromise assessment (don’t stop at “patched”). (NHS England Digital)
What’s happening (practically)
EPMM is often reachable from the internet by design (mobile devices must talk to it). That makes it a classic “edge control plane” target: once exploitation starts, opportunistic activity tends to scale quickly — especially when PoCs become public. (CyberScoop)
Public reporting indicates limited attacks before Ivanti’s disclosure, followed by broader exploitation by multiple groups, with 1,400+ potentially vulnerable instances still exposed. (CyberScoop)
Why an EPMM compromise is a force multiplier
This isn’t just “server RCE.”
EPMM sits in the device trust + policy enforcement layer. If the platform is compromised, the downstream blast radius can include access to sensitive data, lateral movement opportunities, and potential control over managed devices — exactly the outcomes defenders try to prevent by deploying MDM/UEM in the first place. (circl.lu)
Deobfuscated take: Put EPMM in the same priority tier as identity infrastructure and remote access gateways. If it’s exposed and unpatched, assume it’s being probed.
Am I affected?
NHS England lists impacted versions across the 12.5 / 12.6 / 12.7 trains (and earlier in those trains). (NHS England Digital)
- 12.5.0.0 and earlier
- 12.5.1.0 and earlier
- 12.6.0.0 and earlier
- 12.6.1.0 and earlier
- 12.7.0.0 and earlier (NHS England Digital)
CIRCL also notes that older EoL versions may be affected. (circl.lu)
Immediate mitigation: patch fast (but don’t forget the “patch doesn’t stick” detail)
NHS England guidance is clear: apply Ivanti’s temporary RPM mitigation now. (NHS England Digital)
Two gotchas worth calling out:
- The RPM does not survive a version upgrade — if you upgrade later, you must reinstall the RPM. (NHS England Digital)
- A permanent fix is planned for EPMM 12.8.0.0. (NHS England Digital)
Compromise assessment: the fastest high-signal check
NHS England recommends reviewing the Apache access log:
/var/log/httpd/https-access_log(NHS England Digital)
They also highlight a practical heuristic:
- Legitimate traffic to the relevant endpoints commonly returns HTTP 200
- Attempted/successful exploitation may show up as HTTP 404 for those paths (NHS England Digital)
They provide a regex you can use to quickly triage:
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404Important: don’t rely only on local/on-box logs — NHS England notes on-box logging can be manipulated post-compromise and recommends reviewing data in your SIEM/log collector instead. (NHS England Digital)
If patching must wait: shrink exposure and buy time safely
If you truly can’t patch immediately, prioritize:
- Reduce exposure: remove unnecessary internet reachability; restrict management access paths as tightly as possible.
- Centralize telemetry: forward HTTP/access logs and relevant system events off-box (SIEM/immutable store). (NHS England Digital)
- Prepare for IR: CIRCL strongly recommends initiating a full incident response procedure for EPMM instances, including compromise assessment and log review. (circl.lu)