How to find Ivanti Endpoint Manager Mobile (EPMM) instances on your network

Latest Ivanti EPMM vulnerabilities: CVE-2026-1281 and CVE-2026-1340 #

Ivanti disclosed two remote code execution (RCE) vulnerabilities affecting certain versions of Ivanti Endpoint Manager Mobile (EPMM). These vulnerabilities, designated CVE-2026-1281 and CVE-2026-1340 have been rated critical with a CVSS score of 9.8. Both are code injection flaws that allow a remote, unauthenticated adversary to execute arbitrary code on the underlying host.

There is evidence that the vulnerability designated CVE-2026-1281 is being actively exploited in the wild.

The following versions are affected:

• Endpoint Manager Mobile versions 12.5.0.x prior to RPM 12.5.0.x
• Endpoint Manager Mobile versions 12.5.1.0 prior to RPM 12.5.1.x
• Endpoint Manager Mobile versions 12.6.0.x prior to RPM 12.6.0.x
• Endpoint Manager Mobile versions 12.6.1.0 prior to RPM 12.6.1.x
• Endpoint Manager Mobile versions 12.7.0.x prior to RPM 12.7.0.x

What is Ivanti Endpoint Manager Mobile?
#

Ivanti Endpoint Manager Mobile (EPMM) is an on-premises unified endpoint management platform that allows IT administrators to enforce security policies, manage application distribution, and control data access for mobile devices and laptops across an enterprise network.

What is the impact? #

Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the vulnerable process, potentially allowing complete system takeover.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Endpoint Manager Mobile versions 12.5.0.x upgrade to version RPM 12.5.0.x
• Endpoint Manager Mobile versions 12.5.1.0 upgrade to version RPM 12.5.1.x
• Endpoint Manager Mobile versions 12.6.0.x upgrade to version RPM 12.6.0.x
• Endpoint Manager Mobile versions 12.6.1.0 upgrade to version RPM 12.6.1.x
• Endpoint Manager Mobile versions 12.7.0.x upgrade to version RPM 12.7.0.x

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Ivanti AND product:="Endpoint Manager Mobile"

May 2025: CVE-2025-4427 and CVE-2025-4428 #

Ivanti has disclosed multiple vulnerabilities in its Endpoint Manager Mobile (EPMM) product. These vulnerabilities, when chained together and successfully exploited, would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system.

These vulnerabilities, designated CVE-2025-4427 and CVE-2025-4428 have CVSS scores of 5.3 (medium) and 7.2 (high), respectively. However, in combination these vulnerabilities are significantly more critical than their individual scores may imply.

There is evidence that these vulnerabilities are being actively exploited in the wild.

The following versions are affected:

• Ivanti Endpoint Manager Mobile (EPMM) 11.x versions 11.2.0.4 and prior
• Ivanti Endpoint Manager Mobile (EPMM) 12.3.x versions 12.3.0.1 and prior
• Ivanti Endpoint Manager Mobile (EPMM) 12.4.x versions 12.4.0.1 and prior
• Ivanti Endpoint Manager Mobile (EPMM) 12.5.x versions 12.5.0.0 and prior

What is the impact? #

Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the vulnerable process, potentially allowing complete system takeover.

Are any updates or workaround available? #

Ivanti has released updates to address this vulnerability, and users are advised to update as quickly as possible.

How do I find potentially vulnerable Ivanti EPMM services with runZero? #

From the Asset Inventory use the following query to locate EPMM services on your network:

product:"Ivanti Endpoint Manager Mobile"

July 2023: CVE-2023-35078 #

On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully exploiting this vulnerability would allow an unauthenticated remote attacker to access users’ personally identifiable information (PII) and make changes to the vulnerable server.

There is evidence that this vulnerability is being exploited in the wild.

What is the impact? #

An unauthenticated remote attacker who successfully exploited this vulnerability would be able to retrieve users’ personally identifiable information (PII) and make changes to the vulnerable server. This is due to an authentication bypass vulnerability, meaning that in some cases an attacker can bypass authentication controls.

With a CVSS score of 10.0, this vulnerability is considered critical. There is evidence that this vulnerability is being exploited in the wild and this vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog.

Are updates available? #

Ivanti has released a patch for this vulnerability and issued guidance for customers on how to upgrade.

How do I find potentially vulnerable Ivanti EPMM services with runZero? #

EPMM can be found by navigating to the Services Inventory and using the following pre-built query to locate EPMM services on your network:

_asset.protocol:http AND protocol:http AND html.title:"Ivanti User Portal: Sign In"

Starting with runZero 3.10.10, from the Asset Inventory use the following pre-built query to locate EPMM services on your network:

product:”Ivanti Endpoint Manager Mobile”

Results from the above query should be triaged to determine if they require patching. As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.