Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340 Exploited in the Wild, CISA Adds to KEV

Ivanti is scrambling to contain active exploitation of two pre-authentication remote code execution vulnerabilities in its Endpoint Manager Mobile (EPMM) platform, tracked as CVE-2026-1281 and CVE-2026-1340. The company confirmed a very limited number of customer environments have already been breached, while CISA swiftly added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, signaling elevated risk to federal agencies and the broader enterprise user base.

The vulnerabilities reside in Ivanti EPMM, a mobile device management and unified endpoint management solution widely deployed across large organizations to secure and manage fleets of iOS, Android, and other mobile devices. According to analysis from watchTowr Labs, both flaws are reachable over HTTP via Apache RewriteMap configurations that invoke Bash scripts. By replacing those scripts with compiled Java classes, the patch addresses the root cause, but Ivanti's approach has raised eyebrows: the company shipped temporary RPM patches that recompile Java source files and replace the Apache configuration at runtime, rather than issuing a standard software update.

Ivanti has acknowledged that these temporary RPM patches come with a commitment issue — they must be reapplied after any subsequent EPMM update or they will be rolled back. A permanent fix is not expected until Q1 2026 with the release of EPMM version 12.8.0.0. In the interim, the company has made two RPM patches available, named ivanti-security-update-1761642-1.0.0L-5.noarch.rpm and ivanti-security-update-1761642-1.0.0S-5.noarch.rpm. These patches modify the Apache HTTPd configuration to replace RewriteMap scripts with newly compiled Java classes (AFTUrlMapper and AppStoreUrlMapper), eliminating the vulnerable Bash shell invocation.

watchTowr's technical analysis reveals that the patch mechanism itself is enlightening: the RPM package ships uncompiled Java source files, compiles them at install time using /etc/alternatives/javac, and then moves the resulting .class files to /mi/bin with restricted permissions (chmod 700). The Apache config is then updated via sed to switch the RewriteMap directives from shell scripts to Java class execution. The original Bash scripts at /mi/bin/map-appstore-url and /mi/bin/map-aft-store-url were the likely attack surface, and the patch effectively replaces them with Java equivalents, eliminating the vulnerability.

CISA's addition of both CVEs to the KEV catalog means federal civilian executive branch agencies are required to apply the available patches by a mandated deadline, though the agency also stresses that all organizations using Ivanti EPMM should prioritize remediation. The exploitation has been attributed to an unnamed APT, though specific attribution has not been publicly confirmed. The vulnerabilities require no authentication to exploit, making them particularly dangerous for internet-facing EPMM instances.

This is not the first time Ivanti has faced a barrage of actively exploited vulnerabilities in its EPMM product. Previous incidents involving CVE-2026-6973 and other flaws have demonstrated the product's attractiveness as a target for threat actors seeking to gain a foothold inside enterprise networks. The pattern of Ivanti publishing temporary, reapply-required patches instead of immediately releasing a permanent fixed version has drawn criticism from security researchers, who note that such workarounds increase operational burden on already stretched IT teams.

For now, Ivanti customers are advised to apply the temporary RPM patches without delay, monitor for signs of compromise such as unexpected HTTP requests targeting the /mifs/c/ path, and prepare for the permanent fix arriving in Q1 2026. The incident underscores the tension between speed-to-patch and patch quality in an era where vulnerability exploitation is the leading initial access vector in breaches.