Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting Ivanti Endpoint Manager Mobile (EPMM) via two critical vulnerabilities—CVE-2026-1281 (authentication bypass) and CVE-2026-1340 (remote code execution)—with activity consistent with initial access broker (IAB) tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale.
Post-exploitation behavior described in research includes deployment of a dormant, in-memory Java class loader backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at /mifs/403.jsp. Separately, GreyNoise telemetry attributes 83% of observed Ivanti exploitation to a single IP hosted on bulletproof infrastructure (PROSPERO OOO, AS200593) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning Oracle WebLogic on port 7001). GreyNoise also observed prevalent “blind” RCE verification using OAST DNS callbacks (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
Timeline
Feb 12, 2026
watchTowr publishes proof-of-concept exploit for EPMM flaw
watchTowr published a proof-of-concept exploit for the Ivanti EPMM vulnerability after disclosure and amid active exploitation. The release added public technical detail that could aid validation and offensive testing of exposed systems.
Feb 11, 2026
CISA adds CVE-2026-1281 to the KEV catalog
Following evidence of active exploitation, CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog and set a three-day remediation deadline for affected organizations. This formalized the flaw's status as an actively exploited federal priority.
Feb 11, 2026
Defenders publish detection guidance and urge compromise assumptions
Ivanti and NCSC-NL released a detection script, while NCSC-NL advised EPMM users to assume compromise and perform forensic investigations. Defused Cyber also published log-based hunting guidance and recommended patching plus application server restarts to clear RAM-resident implants.
Feb 10, 2026
GreyNoise says widely shared Ivanti IOCs are misleading
GreyNoise reported on February 10, 2026 that several heavily circulated indicators of compromise for the Ivanti campaign did not match its telemetry. It said the main exploitation source IP, 193.24.123.42 on PROSPERO OOO, was missing from common IOC lists, while other published IOCs appeared unrelated or compromised infrastructure.
Feb 10, 2026
Researchers identify dormant in-memory backdoor at /mifs/403.jsp
By February 10-11, 2026, Defused Cyber and other reporting revealed that attackers were implanting a dormant, fileless in-memory Java class loader at /mifs/403.jsp on compromised Ivanti EPMM systems. The implant remained inactive until triggered with a specific parameter, making detection difficult and supporting the initial-access-broker assessment.
Feb 9, 2026
Shadowserver sees internet-wide surge of EPMM exploitation attempts
On February 9, 2026, Shadowserver observed more than 28,300 unique source IPs attempting to exploit CVE-2026-1281. The largest share of traffic originated from the United States, followed by the United Kingdom and Russia.
Feb 8, 2026
GreyNoise records major spike in Ivanti exploitation activity
On February 8, 2026, GreyNoise saw a sharp surge to 269 exploitation sessions against Ivanti EPMM. The company later attributed 83% of observed exploitation during the period to a single bulletproof-hosted IP address, 193.24.123.42.
Feb 4, 2026
European government entities report compromises linked to EPMM bugs
Shortly after disclosure, multiple European public-sector organizations were reported compromised via the Ivanti EPMM flaws, including Finland's Valtori, two Dutch government agencies, and an unnamed European Commission mobile device management platform. These incidents marked an escalation from vulnerability disclosure to confirmed victim impact.
Feb 4, 2026
Ivanti releases security updates and temporary fixes for EPMM flaws
On February 4, 2026, Ivanti released a patch and security updates for the EPMM vulnerabilities after first providing a temporary fix. Reporting also noted temporary RPM patches and that a permanent fix was planned for EPMM 12.8.0.0 in Q1 2026.
Feb 4, 2026
Exploitation of Ivanti EPMM begins in observed campaign
Defused Cyber reported a stealthy campaign targeting Ivanti EPMM began on February 4, 2026, with attackers exploiting the two flaws to gain access. The activity was assessed as consistent with an initial access broker operation.
Feb 1, 2026
GreyNoise observes sustained exploitation from a small set of IPs
Between February 1 and February 9, GreyNoise recorded 417 Ivanti EPMM exploitation sessions from eight source IPs. Most payloads used OAST-style DNS callbacks to verify remote code execution rather than immediately deploy malware, indicating target validation activity.
Jan 29, 2026
Ivanti discloses two critical EPMM zero-days with active exploitation
Ivanti publicly disclosed CVE-2026-1281 and CVE-2026-1340 affecting Endpoint Manager Mobile on January 29, 2026, and acknowledged limited in-the-wild exploitation at the time of disclosure. The flaws were described as critical remote code execution issues.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
1 more from sources like greynoise blog
Related Stories
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
1 months ago
Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed **unauthenticated remote code execution (RCE)** flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of **React2Shell** in React Server Components (**CVE-2025-55182**), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., `xmrig`), then deploying additional payloads including the **HISONIC** backdoor, **SNOWLIGHT** downloader, and **CrossC2**, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (**CVE-2026-21962**, **CVE-2026-24061**) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for **83%** of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation. Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around **IcedID** operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
1 months ago
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months ago