DIVD-2026-00002 - DIVD-2026-00002 – Ivanti Endpoint Manager Mobile Vulnerabilities

Our reference	DIVD-2026-00002
Case lead	Victor Pasman
Researcher(s)	Davy Aarts Victor Pasman
CVE(s)	CVE-2026-1281
Versions	12.5.0.0 and prior, 12.6.0.0 and prior, 12.7.0.0 and prior, 12.5.1.0 and prior, 12.6.1.0 and prior,
Patch status	Available
Status	Open
Last modified	05 Feb 2026 16:25 CET

Summary

Two critical vulnerabilities have been found in in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron. One of these vulnerabilities is actively exploited in the wild, and public Proof-of-Concept (PoC) exploit code is available.

Organizations using Ivanti EPMM are strongly advised to apply patches immediately and assume compromise if systems were exposed prior to mitigation.

What is happening?

Ivanti has released security updates addressing two vulnerabilities that allow remote code execution without authentication. According to Ivanti, targeted attacks exploiting one of these vulnerabilities have already been observed.

The availability of PoC code significantly increases the risk of widespread exploitation.

What we are doing

We are scanning for Ivanti Endpoint Manager Mobile (EPMM) instances exposed to the internet that may be vulnerable to these flaws. We will notify affected parties so they can take appropriate action.

Technical Details

Affected Product

Ivanti Endpoint Manager Mobile (EPMM / MobileIron)

Other Ivanti products, such as Ivanti EPM, Ivanti Neurons for MDM, and Ivanti Sentry, are not affected.

Impact

Successful exploitation can result in:

Full system compromise
Unauthorized access to sensitive data
Persistence mechanisms installed by attackers
Lateral movement within enterprise environments

Due to confirmed active exploitation, the impact should be considered severe for unpatched systems.

Mitigation and Recommendations

Immediate Actions

Apply Ivanti security updates for EPMM immediately
Treat systems as potentially compromised if exposed prior to patching
Rotate credentials and cryptographic keys associated with affected systems
Review logs and network traffic for signs of exploitation or lateral movement

Additional Measures

Perform threat hunting focused on EPMM exploitation techniques
Rebuild affected systems if compromise is suspected
Monitor vendor and NCSC updates for additional indicators of compromise

Timeline

Date	Description
29 Jan 2026	Initial publication vulnerabilities
04 Feb 2026	Advisory updated to include public PoC availability
05 Feb 2026	Case started by DIVD researchers
05 Feb 2026	Scanned instances and send out the notifications

gantt title DIVD-2026-00002 - DIVD-2026-00002 – Ivanti Endpoint Manager Mobile Vulnerabilities dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2026-00002 - DIVD-2026-00002 – Ivanti Endpoint Manager Mobile Vulnerabilities (still open) :2026-02-05, 2026-02-12 section Events Initial publication vulnerabilities : milestone, 2026-01-29, 0d Advisory updated to include public PoC availability : milestone, 2026-02-04, 0d Case started by DIVD researchers : milestone, 2026-02-05, 0d Scanned instances and send out the notifications : milestone, 2026-02-05, 0d

DIVD CSIRT