Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, CVE-2026-1281 and CVE-2026-1340 (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory.
Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into 4,400+ EPMM instances, and noted threat actors shifting from initial exploitation toward dormant backdoors intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as 83%) originated from a single IP, 193.24.123.42, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, telnetd, and GLPI).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Unit 42 publishes IOCs and hunting guidance for defenders
Unit 42 released indicators of compromise and detection guidance, including telemetry and log-hunting recommendations for identifying exploitation of Ivanti EPMM. Ivanti also provided a detection script developed with NCSC-NL and advised organizations to assume breach and rebuild from known-good backups if compromised.
Unit 42 details automated exploitation and persistent backdoors
Palo Alto Networks Unit 42 reported that attackers were using crafted HTTP GET requests to exploit the two Ivanti EPMM zero-days, leading to reverse shells, JSP web shells, reconnaissance, and second-stage payload delivery. The researchers said attackers were increasingly planting dormant backdoors and using tools such as the Nezha monitoring agent to maintain access after patching.
GreyNoise attributes 83% of observed attacks to one IP
GreyNoise reported that 83% of observed exploitation attempts were linked to a single IP address, 193.24.123.42, hosted by PROSPERO OOO and labeled by Censys as bulletproof hosting. The finding showed the campaign was heavily dominated by one infrastructure node that had been absent from many early IOC lists.
Dutch authorities confirm breaches tied to Ivanti EPMM exploitation
Dutch authorities confirmed that the Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR) were breached through exploitation of the Ivanti EPMM flaws. The disclosures indicated some organizations were compromised before many defenders had applied patches.
Exploitation activity spikes on February 8
GreyNoise saw a major surge in exploitation on February 8, when 269 sessions were observed in a single day. This spike highlighted accelerating attacker interest in the Ivanti EPMM vulnerabilities.
GreyNoise observes broad Ivanti EPMM exploitation from eight IPs
Between February 1 and February 9, GreyNoise recorded 417 exploitation sessions targeting Ivanti EPMM from eight source IP addresses. The activity showed a concentrated campaign against exposed systems shortly after disclosure.
CISA adds CVE-2026-1281 to the KEV catalog
After active exploitation was confirmed, CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog. Federal agencies were given a remediation deadline of February 1, reflecting the urgency of the threat.
Ivanti issues advisory and temporary RPM patches for EPMM flaws
In January 2026, Ivanti disclosed CVE-2026-1281 and CVE-2026-1340 and issued an advisory with version-specific RPM mitigations for affected EPMM releases. The company said the patches required no downtime and later indicated a permanent fix was expected in EPMM 12.8.0.0 in Q1 2026.
Ivanti EPMM flaws may have been exploited as zero-days since July 2025
Security experts cited evidence that CVE-2026-1281 and CVE-2026-1340 may have been exploited in the wild as zero-days as early as July 2025, before public disclosure. This suggests attackers had a long pre-disclosure window to compromise exposed Ivanti EPMM systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Attacks on 2 critical Ivanti EPMM bugs surge worldwide | SC Media
scworld.com
Open sourceCritical Ivanti EPMM Zero-Day Vulnerabilities Exploited in The Wild Targeting Corporate Networks
cybersecuritynews.com
Open sourceAttackers Deploy Dormant Backdoors In Ivanti EPMM
thecyberexpress.com
Open sourceCritical Vulnerabilities in Ivanti EPMM Exploited
unit42.paloaltonetworks.com
Open sourceSingle IP Dominates Exploitation Campaign Attacking Ivanti EPMM with RCE Vulnerability
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two **critical, actively exploited** Ivanti Endpoint Manager Mobile (*EPMM*) vulnerabilities—**CVE-2026-1281** and **CVE-2026-1340**—described as unauthenticated code-injection issues enabling **remote code execution (RCE)** with a **CVSS 9.8** rating. Ivanti reported exploitation affecting a *very limited number* of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings. Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM **12.5.x, 12.6.x, and 12.7.x** (including **12.5.1.0** and **12.6.1.0** and earlier as specified), while Ivanti’s cloud offerings (e.g., *Ivanti Neurons for MDM*) and *Ivanti Endpoint Manager (EPM)* are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in **EPMM 12.8.0.0**; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
May 7, 2026
Ivanti EPMM Zero-Day Exploitation Exposed Sensitive Government and Enterprise Data
Ivanti warned that two critical zero-day flaws in **Endpoint Manager Mobile (EPMM)** — `CVE-2026-1281` and `CVE-2026-1340` — were being actively exploited, and subsequent reporting described rapid mass exploitation after proof-of-concept code became public. The attacks hit internet-facing EPMM systems used to manage mobile devices, with incident responders documenting a fully automated intrusion chain that successfully exfiltrated sensitive EPMM data and leveraged lesser-known product behaviors alongside an open-source offensive framework. Germany's BSI also issued an alert on active attacks, underscoring the broad operational impact of the campaign. The exploitation wave affected both opportunistic victims and targeted organizations, including governments. Dutch authorities disclosed that attackers had maintained access to the Dutch Custodial Institutions Agency's EPMM server for about five months, exposing employee names, email addresses, phone numbers, and location data, with officials warning of elevated blackmail and extortion risks. Ivanti's earlier handling of **EPMM** flaws, including `CVE-2023-35082`, had already shown that internet-exposed deployments could enable unauthorized access to personally identifiable information, but the company separately clarified that a later May 2026 advisory for **Endpoint Manager (EPM)** — covering `CVE-2026-8109`, `CVE-2026-8110`, and `CVE-2026-8111` — involved a different product and was not tied to the EPMM zero-day exploitation.
May 25, 2026
Ivanti EPMM Zero-Day CVE-2026-6973 Exploited via Stolen Admin Credentials
Ivanti disclosed active exploitation of **CVE-2026-6973**, a high-severity improper input validation flaw in on-premises **Endpoint Manager Mobile (EPMM)** that allows remote code execution when used with administrator authentication. The company said exploitation has been limited to a small number of customers and assessed with high confidence that attackers are using administrator credentials stolen during earlier January attacks involving **CVE-2026-1281** and **CVE-2026-1340**. Affected versions are EPMM releases prior to **12.6.1.1**, **12.7.0.1**, and **12.8.0.1**; Ivanti said **Neurons for MDM**, **EPM**, **Sentry**, and other products are not affected. Ivanti also patched four additional high-severity EPMM flaws—**CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**—covering certificate validation and access-control weaknesses that could enable host impersonation, unauthorized access, arbitrary method invocation, and unauthorized device enrollment, though the vendor said it has no evidence those bugs were exploited. **CISA** added CVE-2026-6973 to its **Known Exploited Vulnerabilities** catalog and ordered U.S. federal agencies to remediate by **May 10, 2026**, while national cyber agencies in Canada and Finland urged immediate patching. Ivanti advised customers to rotate EPMM administrator credentials, review privileged accounts, hunt for compromise artifacts such as webshells and reverse shells, and reduce public exposure of management interfaces; internet scans have identified more than **850** exposed EPMM instances, mainly in Europe and North America.
May 10, 2026