Ivanti Releases Temporary Fixes for Two Critical Zero-Day Code Injection Vulnerabilities in EPMM

Ivanti has released temporary patches for two critical code injection vulnerabilities in Endpoint Manager Mobile (EPMM), including CVE-2026-1281, which is actively exploited as a zero-day and has been added to the CISA Known Exploited Vulnerabilities catalog. The second vulnerability is CVE-2026-1340. These flaws affect the In-House Application Distribution and Android File Transfer Configuration features of EPMM, allowing unauthenticated attackers to execute remote code (RCE) on vulnerable on-premises installations. The patches have been available since January 30, 2026.