Ivanti EPMM Zero-Days Chained for Unauthenticated RCE Against NATO-Allied Government

Overview

Ivanti has disclosed two zero-day vulnerabilities in Endpoint Manager Mobile (EPMM), its enterprise mobile device management platform. Chained together, CVE-2026-1281 and CVE-2026-1340 allow unauthenticated remote code execution on EPMM servers. Attackers already used them to compromise the network of at least one NATO-allied government.

CISA added both vulnerabilities to the Known Exploited Vulnerabilities catalog on January 29, with a federal remediation deadline of February 19. If your organization manages mobile devices through Ivanti EPMM, this needs your attention right now.

Technical Details

The two vulnerabilities work as a chain. Each one alone is dangerous, but combined they give an attacker a clean path from zero access to full server compromise.

CVE-2026-1281 (CVSS 9.8) is an unauthenticated remote code execution vulnerability in the EPMM API layer. An attacker can reach the vulnerable endpoint without any credentials. Ivanti classifies it as an “open redirect” flaw that, when paired with the second vulnerability, allows arbitrary code execution. The CVSS 9.8 score reflects what security teams already know instinctively: unauthenticated RCE on an internet-facing management server is about as bad as it gets.

CVE-2026-1340 (CVSS 7.2) is an authenticated remote code execution vulnerability that requires administrative privileges. On its own, you’d need valid admin credentials to exploit it. But that’s where the chain comes in: CVE-2026-1281 provides the initial access that makes this second flaw reachable without legitimate credentials.

The result: a fully unauthenticated attack path to arbitrary code execution on the EPMM server.

Affected Versions

• EPMM 12.3.0.1 and earlier
• EPMM 12.4.0.1 and earlier
• EPMM 12.5.0.0 and earlier

Ivanti released patched versions on January 29:

• EPMM 12.3.0.2
• EPMM 12.4.0.2
• EPMM 12.5.0.1

Who Exploited This, and How

Mandiant tracks the threat actor behind this campaign as UNC5221. If that name sounds familiar, it should. This is the same group linked to previous Ivanti exploitation campaigns, including the mass exploitation of Ivanti Connect Secure VPN appliances in early 2025. They have a pattern: find Ivanti zero-days, exploit them against high-value government targets, and move fast before patches land.

In this case, UNC5221 chained the two EPMM vulnerabilities to gain initial access to a NATO-allied government’s network. The specific country hasn’t been named publicly, but the targeting tells you something about who’s behind UNC5221 and what they’re after. Mandiant has attributed them to a China-nexus threat cluster with a consistent focus on government and defense targets.

EPMM servers are particularly attractive targets. They manage mobile device enrollment, policy enforcement, and application deployment across an organization. Compromising one gives an attacker visibility into the entire mobile device fleet, including which devices exist, who owns them, what policies are applied, and potentially the ability to push malicious configurations or applications to managed devices.

Impact

This vulnerability combination hits enterprise organizations in several ways.

Direct server compromise. Unauthenticated RCE means any EPMM server exposed to the internet (and many are, since mobile devices need to reach them) is at risk. No credentials required, no user interaction needed.

Mobile device fleet exposure. EPMM manages device enrollment, configuration profiles, and app distribution. An attacker with control of the server could potentially access device inventories, push malicious profiles, or extract sensitive configuration data.

Lateral movement springboard. MDM servers typically have network access to internal infrastructure, including Active Directory, certificate authorities, and email systems. A compromised EPMM server provides a pivot point into the broader enterprise network.

Repeat targeting pattern. UNC5221’s history with Ivanti products means organizations that were affected by earlier Ivanti campaigns should be on heightened alert. The same threat actor is coming back to the same well.

Recommended Actions

1. Patch immediately. Update EPMM to version 12.3.0.2, 12.4.0.2, or 12.5.0.1 depending on your release branch. This is the single most important step.

2. Check whether your EPMM server is internet-facing. If it is (most are, for mobile device connectivity), assume it was scannable and potentially targeted. Review access logs for the EPMM API endpoints, particularly any unusual requests to the endpoints associated with CVE-2026-1281.

3. Hunt for post-exploitation indicators. Look for unexpected administrative accounts, modified configurations, new device enrollment policies, or any signs that the server was used as a pivot point. Check for outbound connections to unfamiliar infrastructure.

4. Review network segmentation around your MDM server. EPMM shouldn’t have unrestricted access to your internal network. If it does, this is a good time to fix that, regardless of whether you were compromised.

5. Restrict API access. Where possible, limit which networks can reach the EPMM API. Mobile devices need connectivity, but not every IP on the internet should be able to hit management endpoints.

6. Monitor CISA’s KEV catalog. The February 19 federal deadline applies to FCEB agencies, but every organization should treat that timeline as a reasonable upper bound. If you can patch faster, do it.

7. Cross-reference with previous Ivanti incidents. If your organization was affected by the Connect Secure VPN exploitation earlier in 2025, review whether UNC5221 may have used that access to map your environment. Attackers who already have reconnaissance data move faster when new vulnerabilities drop.

MITRE ATT&CK Mapping

• T1190, Exploit Public-Facing Application: Unauthenticated exploitation of internet-facing EPMM API
• T1059, Command and Scripting Interpreter: Remote code execution on the EPMM server
• T1078, Valid Accounts: Potential abuse of MDM administrative access post-exploitation
• T1021, Remote Services: Lateral movement from compromised MDM server to internal systems
• T1199, Trusted Relationship: MDM server’s inherent trust relationships with managed devices and internal infrastructure

Timeline

Date	Event
January 29, 2026	Ivanti discloses CVE-2026-1281 and CVE-2026-1340, releases patches
January 29, 2026	CISA adds both CVEs to Known Exploited Vulnerabilities catalog
January 29, 2026	Mandiant attributes exploitation to UNC5221, confirms NATO-allied government targeted
February 19, 2026	CISA remediation deadline for federal agencies

How CCG Can Help

If you run Ivanti EPMM and need help determining whether your environment was compromised, or you want to get ahead of this before it becomes a bigger problem, reach out to us. Our team can assist with:

• Compromise assessment focused on EPMM server forensics, including API log analysis, configuration review, and detection of post-exploitation artifacts from UNC5221 tradecraft
• Incident response to contain active intrusions, isolate compromised MDM infrastructure, and coordinate remediation across your mobile device fleet
• Architecture review of your MDM deployment to evaluate network segmentation, API exposure, and access controls that reduce the blast radius of future MDM vulnerabilities
• Penetration testing of your perimeter-facing management interfaces to identify similar exposure patterns before the next zero-day drops

We’ve helped organizations respond to previous Ivanti exploitation campaigns and understand the patterns these threat actors follow. If you’re concerned about your exposure, we’re ready to help.