Ivanti’s January bad luck continues as 0-days hit customers • The Register

https://www.theregister.com/2026/01/30/ivanti_epmm_zero_days/

Publish Date: 2026-01-30 17:01:00

Ivanti has patched two critical zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product that are already being exploited, continuing a grim run of January security incidents for enterprise IT vendors.

In January 2025, tens of thousands were urged to patch a Fortinet zero-day, while Ivanti customers were doing the same. There has been little change this year as Fortinet patches multiple single sign-on (SSO) flaws and Ivanti ships fixes for yet another pair of zero-days.

Tracked as CVE-2026-1281 and CVE-2026-1340, both bugs affect Ivanti Endpoint Manager Mobile (EPMM). They’re also both rated a near-maximum CVSS score of 9.8 and allow for unauthenticated remote code execution (RCE) – about as bad as it gets.

The security shop said in its advisory: “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

“This vulnerability does not impact any other Ivanti products, including any cloud products, such as Ivanti Neurons for MDM. Ivanti Endpoint Manager (EPM) is a different product and also not impacted by these vulnerabilities. Customers using an Ivanti cloud product with Sentry are also not impacted by this vulnerability.”

These kinds of RCE bugs can lead to all sorts of nastiness. Lateral movement across a given organization’s network, config changes, and attackers making themselves admin are all possible. The vendor warned that it could grant access to certain data too.

Ivanti said that the types of information available could include basic personal information about the EPMM admin and device user, as well as information about mobile devices such as phone numbers and GPS locations.

Those looking for indicators of compromise (IOCs) are out of luck. Ivanti doesn’t have any reliable ones due to the small number of impacted customers it knows…

Source