CVE-2026-1281

CVSS 9.8 CRITICALEPSS 81.2%● KEVCWE-94

In short

Ivanti Endpoint Manager Mobile has a flaw that lets attackers run malicious code on the system without needing to log in. This is critical because it allows complete control of affected devices.

Technical detail

A code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile permits unauthenticated remote code execution. The attack vector is network-based with no authentication requirement, resulting in full system compromise.

Summary generated and translated by AI from the official description.

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Ivanti · Endpoint Manager Mobile

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281