Active Exploitation of Ivanti EPMM Flaws Used to Seed Dormant Backdoors and Validate RCE
Active exploitation is targeting Ivanti Endpoint Manager Mobile (EPMM) via two critical vulnerabilities—CVE-2026-1281 (authentication bypass) and CVE-2026-1340 (remote code execution)—with activity consistent with initial access broker (IAB) tradecraft rather than immediate ransomware-style monetization. Reporting indicates attackers are using exploitation to establish footholds and validate access at scale, then disengaging, suggesting the objective is to inventory and package working access for later activation or resale.
Post-exploitation behavior described in research includes deployment of a dormant, in-memory Java class loader backdoor that is left inactive until a specific trigger is received, with an observed web-accessible artifact at /mifs/403.jsp. Separately, GreyNoise telemetry attributes 83% of observed Ivanti exploitation to a single IP hosted on bulletproof infrastructure (PROSPERO OOO, AS200593) that is missing from widely circulated IOC lists, while several heavily shared “IOCs” appear to be unrelated (e.g., Windscribe VPN exit nodes primarily scanning Oracle WebLogic on port 7001). GreyNoise also observed prevalent “blind” RCE verification using OAST DNS callbacks (rather than immediate payload deployment), reinforcing the assessment that operators are confirming exploitability and staging for follow-on access rather than executing overt actions immediately.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
watchTowr publishes proof-of-concept exploit for EPMM flaw
watchTowr published a proof-of-concept exploit for the Ivanti EPMM vulnerability after disclosure and amid active exploitation. The release added public technical detail that could aid validation and offensive testing of exposed systems.
CISA adds CVE-2026-1281 to the KEV catalog
Following evidence of active exploitation, CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog and set a three-day remediation deadline for affected organizations. This formalized the flaw's status as an actively exploited federal priority.
Defenders publish detection guidance and urge compromise assumptions
Ivanti and NCSC-NL released a detection script, while NCSC-NL advised EPMM users to assume compromise and perform forensic investigations. Defused Cyber also published log-based hunting guidance and recommended patching plus application server restarts to clear RAM-resident implants.
GreyNoise says widely shared Ivanti IOCs are misleading
GreyNoise reported on February 10, 2026 that several heavily circulated indicators of compromise for the Ivanti campaign did not match its telemetry. It said the main exploitation source IP, 193.24.123.42 on PROSPERO OOO, was missing from common IOC lists, while other published IOCs appeared unrelated or compromised infrastructure.
Researchers identify dormant in-memory backdoor at /mifs/403.jsp
By February 10-11, 2026, Defused Cyber and other reporting revealed that attackers were implanting a dormant, fileless in-memory Java class loader at /mifs/403.jsp on compromised Ivanti EPMM systems. The implant remained inactive until triggered with a specific parameter, making detection difficult and supporting the initial-access-broker assessment.
Shadowserver sees internet-wide surge of EPMM exploitation attempts
On February 9, 2026, Shadowserver observed more than 28,300 unique source IPs attempting to exploit CVE-2026-1281. The largest share of traffic originated from the United States, followed by the United Kingdom and Russia.
GreyNoise records major spike in Ivanti exploitation activity
On February 8, 2026, GreyNoise saw a sharp surge to 269 exploitation sessions against Ivanti EPMM. The company later attributed 83% of observed exploitation during the period to a single bulletproof-hosted IP address, 193.24.123.42.
European government entities report compromises linked to EPMM bugs
Shortly after disclosure, multiple European public-sector organizations were reported compromised via the Ivanti EPMM flaws, including Finland's Valtori, two Dutch government agencies, and an unnamed European Commission mobile device management platform. These incidents marked an escalation from vulnerability disclosure to confirmed victim impact.
Ivanti releases security updates and temporary fixes for EPMM flaws
On February 4, 2026, Ivanti released a patch and security updates for the EPMM vulnerabilities after first providing a temporary fix. Reporting also noted temporary RPM patches and that a permanent fix was planned for EPMM 12.8.0.0 in Q1 2026.
Exploitation of Ivanti EPMM begins in observed campaign
Defused Cyber reported a stealthy campaign targeting Ivanti EPMM began on February 4, 2026, with attackers exploiting the two flaws to gain access. The activity was assessed as consistent with an initial access broker operation.
GreyNoise observes sustained exploitation from a small set of IPs
Between February 1 and February 9, GreyNoise recorded 417 Ivanti EPMM exploitation sessions from eight source IPs. Most payloads used OAST-style DNS callbacks to verify remote code execution rather than immediately deploy malware, indicating target validation activity.
Ivanti discloses two critical EPMM zero-days with active exploitation
Ivanti publicly disclosed CVE-2026-1281 and CVE-2026-1340 affecting Endpoint Manager Mobile on January 29, 2026, and acknowledged limited in-the-wild exploitation at the time of disclosure. The flaws were described as critical remote code execution issues.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Clandestine IP primarily behind attacks exploiting Ivanti EPMM bugs | SC Media
scworld.com
Open sourceIvanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again
darkreading.com
Open sourceMassive Spike in Attacks Exploiting Ivanti EPMM Systems 0-day Vulnerability
cybersecuritynews.com
Open sourceSleeping with the Enemy: Dormant Backdoors Found in Ivanti EPMM
securityonline.info
Open sourceIvanti EPMM exploitation: Researchers warn of "sleeper" webshells - Help Net Security
helpnetsecurity.com
Open sourceActive Ivanti Exploitation Traced to Single Bulletproof IP-Published IOC Lists Point Elsewhere
greynoise.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
Mar 21, 2026
Rapid Post-Disclosure Exploitation of Critical RCE Vulnerabilities
Security teams reported rapid, opportunistic exploitation of newly disclosed **unauthenticated remote code execution (RCE)** flaws, with attackers moving quickly from scanning to compromise. JPCERT/CC documented active compromise following disclosure of **React2Shell** in React Server Components (**CVE-2025-55182**), where multiple threat actors exploited the same exposed environment within days—initially dropping coin miners (e.g., `xmrig`), then deploying additional payloads including the **HISONIC** backdoor, **SNOWLIGHT** downloader, and **CrossC2**, and culminating in actions like cron-based persistence and website defacement. Separately, GreyNoise telemetry cited by BleepingComputer indicated that exploitation of two critical Ivanti Endpoint Manager Mobile (EPMM) RCEs (**CVE-2026-21962**, **CVE-2026-24061**) was heavily concentrated, with a single bulletproof-hosted source IP (193[.]24[.]123[.]42, PROSPERO OOO/AS200593) responsible for **83%** of observed activity and widespread use of OAST-style DNS callbacks consistent with initial-access validation. Several other items in the set were not tied to a single, specific exploitation event. A Help Net Security “week in review” roundup mixed interviews and assorted security items (including mention of an exploited BeyondTrust RCE) without providing a cohesive, single-incident account, while an NCSC-themed weekly highlights post primarily summarized guidance and calls for participation rather than detailing a discrete compromise. A CloudATG “insights” page contained unrelated, older recap and generic security content, and a Risky Business bulletin focused on law-enforcement developments around **IcedID** operators (including an alleged developer faking his death) rather than vulnerability exploitation activity.
Mar 21, 2026
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Mar 21, 2026