Security researchers at Ivanti have disclosed two high‑severity vulnerabilities in the Endpoint Manager Mobile (EPMM) platform, tracked as CVE‑2026‑1340 and CVE‑2026‑1281, both carrying a CVSS score of 9.8. Ivanti has released an initial patch, with full mitigation expected in an upcoming version update. Review this Cybersecurity Threat Advisory for more details and recommendations to mitigate your risk.
What is the threat?
Attackers can achieve unauthenticated code execution by sending an HTTP GET request containing a maliciously crafted string. This string targets either the “In‑House Application Distribution” feature (/mifs/c/appstore/fob/) or “Android File Transfer Configuration” (/mifs/c/aftstore/fob/).
Why is it noteworthy?
The EPMM platform requires broad permissions across managed devices to deliver full functionality. This includes access to sensitive data such as personally identifiable information (PII), hardware details (serial numbers, sensor data), and ESIM information. Successful exploitation could expose all of this data to attackers.
What is the exposure or risk?
Ivanti reports that all on‑premises EPMM instances are vulnerable. High‑impact vulnerabilities like these often draw attention from a wide range of threat actors once advisories are published, increasing the urgency to apply patches. Notably, Endpoint Manager (EPM), Neurons for MDM, and Sentry appliances are not affected.
What are the recommendations?
Barracuda recommends the following actions to reduce risk:
- Apply the latest Ivanti EPMM patch as outlined in Ivanti’s official advisory (linked below).
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.