CVE-2026-1281

CRITICAL KEV

Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2026-1281 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 29, 2026. EIP tracks 3 public exploits from researchers including XiaomingX, MehdiLeDeaut, YunfeiGE18.

AI-analyzed exploit summary This repository contains a Python script that performs safe, non-exploitative checks for CVE-2026-1281 in Ivanti EPMM by sending HEAD and GET requests to known affected paths and analyzing response times and status codes. It does not contain exploit code but helps identify potentially vulnerable instances.

Description

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Exploits (3)

github SCANNER 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1281

This repository contains a Python script that performs safe, non-exploitative checks for CVE-2026-1281 in Ivanti EPMM by sending HEAD and GET requests to known affected paths and analyzing response times and status codes. It does not contain exploit code but helps identify potentially vulnerable instances.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ivanti Endpoint Manager Mobile (EPMM)
No auth needed
Prerequisites: network access to the target Ivanti EPMM instance
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 2 stars
by MehdiLeDeaut · poc
https://github.com/MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE

This repository contains functional exploit code for CVE-2026-1281, targeting Ivanti EPMM. It includes multiple payloads for remote command execution, reverse shells, webshells, persistence mechanisms, and data exfiltration, demonstrating a clear understanding of the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti EPMM
No auth needed
Prerequisites: Network access to the vulnerable Ivanti EPMM instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by YunfeiGE18 · remote
https://github.com/YunfeiGE18/CVE-2026-1281-CVE-2026-1340-Ivanti-EPMM-RCE

This repository contains a functional Dockerized environment to reproduce CVE-2026-1281 and CVE-2026-1340, Ivanti EPMM pre-auth RCE vulnerabilities. It includes a vulnerable CGI script and test scripts to demonstrate command execution via Bash arithmetic expansion.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti EPMM
No auth needed
Prerequisites: Docker environment · Network access to target
devstral-2 · analyzed Feb 20, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.8159
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-01-29
VulnCheck KEV 2026-01-29
ENISA EUVD EUVD-2026-4940
CWE
CWE-94
Status published
Products (5)
ivanti/endpoint_manager_mobile 12.5.1.0
ivanti/endpoint_manager_mobile 12.6.0.0
ivanti/endpoint_manager_mobile 12.6.1.0
ivanti/endpoint_manager_mobile 12.7.0.0
ivanti/endpoint_manager_mobile < 12.5.0.0
Published Jan 29, 2026
KEV Added Jan 29, 2026
Tracked Since Feb 18, 2026