Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, CVE-2026-1281 and CVE-2026-1340 (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory.
Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into 4,400+ EPMM instances, and noted threat actors shifting from initial exploitation toward dormant backdoors intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as 83%) originated from a single IP, 193.24.123.42, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, telnetd, and GLPI).
Timeline
Feb 17, 2026
Unit 42 publishes IOCs and hunting guidance for defenders
Unit 42 released indicators of compromise and detection guidance, including telemetry and log-hunting recommendations for identifying exploitation of Ivanti EPMM. Ivanti also provided a detection script developed with NCSC-NL and advised organizations to assume breach and rebuild from known-good backups if compromised.
Feb 17, 2026
Unit 42 details automated exploitation and persistent backdoors
Palo Alto Networks Unit 42 reported that attackers were using crafted HTTP GET requests to exploit the two Ivanti EPMM zero-days, leading to reverse shells, JSP web shells, reconnaissance, and second-stage payload delivery. The researchers said attackers were increasingly planting dormant backdoors and using tools such as the Nezha monitoring agent to maintain access after patching.
Feb 16, 2026
GreyNoise attributes 83% of observed attacks to one IP
GreyNoise reported that 83% of observed exploitation attempts were linked to a single IP address, 193.24.123.42, hosted by PROSPERO OOO and labeled by Censys as bulletproof hosting. The finding showed the campaign was heavily dominated by one infrastructure node that had been absent from many early IOC lists.
Feb 16, 2026
Dutch authorities confirm breaches tied to Ivanti EPMM exploitation
Dutch authorities confirmed that the Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR) were breached through exploitation of the Ivanti EPMM flaws. The disclosures indicated some organizations were compromised before many defenders had applied patches.
Feb 8, 2026
Exploitation activity spikes on February 8
GreyNoise saw a major surge in exploitation on February 8, when 269 sessions were observed in a single day. This spike highlighted accelerating attacker interest in the Ivanti EPMM vulnerabilities.
Feb 1, 2026
GreyNoise observes broad Ivanti EPMM exploitation from eight IPs
Between February 1 and February 9, GreyNoise recorded 417 exploitation sessions targeting Ivanti EPMM from eight source IP addresses. The activity showed a concentrated campaign against exposed systems shortly after disclosure.
Feb 1, 2026
CISA adds CVE-2026-1281 to the KEV catalog
After active exploitation was confirmed, CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog. Federal agencies were given a remediation deadline of February 1, reflecting the urgency of the threat.
Jan 29, 2026
Ivanti issues advisory and temporary RPM patches for EPMM flaws
In January 2026, Ivanti disclosed CVE-2026-1281 and CVE-2026-1340 and issued an advisory with version-specific RPM mitigations for affected EPMM releases. The company said the patches required no downtime and later indicated a permanent fix was expected in EPMM 12.8.0.0 in Q1 2026.
Jul 1, 2025
Ivanti EPMM flaws may have been exploited as zero-days since July 2025
Security experts cited evidence that CVE-2026-1281 and CVE-2026-1340 may have been exploited in the wild as zero-days as early as July 2025, before public disclosure. This suggests attackers had a long pre-disclosure window to compromise exposed Ivanti EPMM systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
Related Stories
Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two **critical, actively exploited** Ivanti Endpoint Manager Mobile (*EPMM*) vulnerabilities—**CVE-2026-1281** and **CVE-2026-1340**—described as unauthenticated code-injection issues enabling **remote code execution (RCE)** with a **CVSS 9.8** rating. Ivanti reported exploitation affecting a *very limited number* of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings. Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM **12.5.x, 12.6.x, and 12.7.x** (including **12.5.1.0** and **12.6.1.0** and earlier as specified), while Ivanti’s cloud offerings (e.g., *Ivanti Neurons for MDM*) and *Ivanti Endpoint Manager (EPM)* are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in **EPMM 12.8.0.0**; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
1 weeks ago
Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting **Ivanti Endpoint Manager Mobile (EPMM)** via two critical vulnerabilities—`CVE-2026-1281` (authentication bypass) and `CVE-2026-1340` (remote code execution)—with activity consistent with **initial access broker (IAB)** tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale. Post-exploitation behavior described in research includes deployment of a **dormant, in-memory Java class loader** backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at `/mifs/403.jsp`. Separately, GreyNoise telemetry attributes **83% of observed Ivanti exploitation** to a single IP hosted on **bulletproof infrastructure** (PROSPERO OOO, `AS200593`) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning **Oracle WebLogic** on port `7001`). GreyNoise also observed prevalent “blind” RCE verification using **OAST DNS callbacks** (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
1 months ago
Ivanti Endpoint Manager Mobile Pre-Auth RCE Zero-Days (CVE-2026-1281, CVE-2026-1340)
Ivanti issued emergency patches for two **critical zero-day** vulnerabilities in *Endpoint Manager Mobile (EPMM)*—**CVE-2026-1281** and **CVE-2026-1340**—described as code-injection flaws that can enable **pre-auth remote code execution**. Reporting indicates successful exploitation could allow attackers to run arbitrary code and potentially access sensitive device and user data managed by EPMM, elevating risk for organizations using the product for mobile device management. Technical discussion and community commentary amplified the disclosure, pointing to detailed research write-ups (including analysis focused on exploitation mechanics) and reinforcing the urgency of patching internet-exposed EPMM instances. Separate industry coverage during the same period also emphasized broader 2026 security priorities (AI-enabled social engineering, quantum-readiness, and general vulnerability management), but did not add incident-specific details about the Ivanti EPMM zero-days beyond the general call to improve patching discipline.
1 months ago