It’s one month into 2026, and vulnerability disclosures have already started piling in at record-breaking rates. As of today, around 26,000 CVEs have been assigned, with around 10,000 of those already being published on NVD, the national vulnerability database. One of those vulnerabilities is CVE-2026-1281, a remote code execution exploit in Invanti Endpoint Manager Mobile (EPMM).
Using data provided by the CrowdSec Network, we can now confirm that this vulnerability is being actively exploited in the wild, resulting in its inclusion in the CISA KEV catalog. Security teams must now act to patch the vulnerable systems as soon as possible.
Key findings
- Active exploitation of CVE-2026-1281 was observed starting on February 4th, 2026, and the vulnerability has been added to CISA KEV.
- CVE-2026-1281 originates from an issue in a Bash handler of a specific EPMM endpoint. It allows for almost immediate remote code execution.
- The campaign targeting CVE-2026-1281 originates from a few but potent attackers, making pre-emptive security a powerful protection mechanism.
What is Ivanti Endpoint Manager Mobile (EPMM)?
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is an enterprise endpoint management platform. It provides solutions for Mobile Device Management (MDM) and Mobile Application Management (MAM). In other words, EPMM is used by IT administrators to secure and manage mobile devices, applications, and content across an organization. It allows companies to enforce security policies on their employees’ company phones, wipe devices remotely in cases of theft, and distribute internal apps. This makes EPMM a core part of an enterprise’s security posture. Compromise of an EPMM appliance gives attackers full control over the managed mobile fleet. This can lead to exfiltration of sensitive data, precise geolocation tracking of employees, and the ability to wipe or deploy malware to managed devices.
How does CVE-2026-1281 work?
CVE-2026-1281 is a pre-authentication Remote Code Execution (RCE) vulnerability discovered by WatchTowr Labs. The vulnerability originates from the web server configuration, which routes specific URL requests to a Bash script for processing. Bash is a very popular scripting language, and its associated shell is the default for both MacOS and most Linux systems. The vulnerability appears because requests to /mifs/c/appstore/fob/ are handled by a script named map-appstore-url. This script fails to properly sanitize user inputs before using them in a Bash context. Attackers can therefore inject malicious payloads via URL parameters, causing Bash to execute them as commands when it evaluates the given requests.
WatchTowr researchers demonstrated that by crafting specific URL-encoded payloads, an unauthenticated attacker can execute arbitrary commands as the web server user, eventually gaining full control of the appliance. Given that EPMM is used to deploy and configure mobile devices, this exploit provides a very large attack surface for further exploitation.
Data Details & Observations of CVE-2026-1281
Data from the CrowdSec Network suggests that exploitation of CVE-2026-1281 is being done by sophisticated attackers who are targeting a broad section of the web to find vulnerable EPMM instances. So far, only very few attackers have been observed, but the few attackers CrowdSec has seen have been observed attacking over 500 distinct machines. The high volume of signals per attacker suggests persistent attempts or automated exploitation campaigns against identified targets. The activity began picking up around February 2, 2026, shortly after the public disclosure.
How to protect your systems
- Harden your Ivanti EPMM configuration:
- Install the RPM patch released by Ivanti as per their advisory. Ensure that the patch persists during reboots.
- Prevent outside access to your EPMM by protecting the system behind a VPN. EPMM is security-critical and shouldn’t be accessible from the outside.
- Upgrade to EPMM 12.8.0.0 as soon as it’s released:
- CVE-2026-1281 is fixed with release 12.8.0.0 of Ivanti EPMM.
- Protect your systems using a WAF:
- Use tools such as CrowdSec to automatically identify and block IP addresses engaging in this exploitation behavior. A detection rule for this CVE is publicly available on the CrowdSec Hub.