A pair of flaws affecting Ivanti’s Endpoint Manager Mobile have been exploited in attacks impacting a ‘very limited’ number of customers, the company says.
A pair of critical-severity vulnerabilities affecting an Ivanti mobile management tool have been exploited in cyberattacks, according to the company.
The flaws—tracked at CVE-2026-1281 and CVE-2026-1340—affect Ivanti’s Endpoint Manager Mobile and have been exploited in attacks impacting a “very limited” number of customers, Ivanti said in an advisory Thursday.
[Related: 10 Major Cyberattacks And Data Breaches In 2025]
Patches are available to address the vulnerabilities, Ivanti said.
“No downtime is required to apply this patch, and we are not aware of any feature functionality impact with this patch,” the company said.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory Thursday confirming that at least one of the vulnerabilities (CVE-2026-1281) has been exploited by threat actors.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA said in the advisory.
Both vulnerabilities have a “critical” severity score of 9.8 out of 10.0.
In its advisory, Ivanti said the code injection vulnerabilities can be exploited to enable remote execution of code without authentication.
“We are aware of a very limited number of customers who have been exploited at the time of disclosure,” the company said in its advisory.
CRN has reached out to Ivanti for further comment.
CISA ordered federal agencies to implement patches for the Ivanti vulnerabilities by Feb. 1.
While the order only applies to Federal Civilian Executive Branch agencies, CISA “strongly urges” all impacted organizations to prioritize remediation of exploited vulnerabilities such as these, the agency said.
