Ivanti EPMM Zero-Day Exploitation Exposed Sensitive Government and Enterprise Data
Ivanti warned that two critical zero-day flaws in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — were being actively exploited, and subsequent reporting described rapid mass exploitation after proof-of-concept code became public. The attacks hit internet-facing EPMM systems used to manage mobile devices, with incident responders documenting a fully automated intrusion chain that successfully exfiltrated sensitive EPMM data and leveraged lesser-known product behaviors alongside an open-source offensive framework. Germany's BSI also issued an alert on active attacks, underscoring the broad operational impact of the campaign.
The exploitation wave affected both opportunistic victims and targeted organizations, including governments. Dutch authorities disclosed that attackers had maintained access to the Dutch Custodial Institutions Agency's EPMM server for about five months, exposing employee names, email addresses, phone numbers, and location data, with officials warning of elevated blackmail and extortion risks. Ivanti's earlier handling of EPMM flaws, including CVE-2023-35082, had already shown that internet-exposed deployments could enable unauthorized access to personally identifiable information, but the company separately clarified that a later May 2026 advisory for Endpoint Manager (EPM) — covering CVE-2026-8109, CVE-2026-8110, and CVE-2026-8111 — involved a different product and was not tied to the EPMM zero-day exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Ivanti releases fixes for three Endpoint Manager vulnerabilities
Ivanti published a security advisory for Endpoint Manager (EPM) covering CVE-2026-8109, CVE-2026-8110, and CVE-2026-8111, affecting EPM 2024 SU5 and earlier. The company fixed the issues in Endpoint Manager 2024 SU6 and said it was not aware of customer exploitation before public disclosure, while clarifying these flaws affected EPM rather than EPMM.
DJI implements response measures while forensic investigation continues
Following the confirmed breach, DJI deployed technical and monitoring measures, distributed a response plan to employees, and used National Cyber Security Centre recommendations. Authorities said a full forensic investigation and cause analysis were still underway, with concerns about blackmail and extortion risks to staff.
Dutch government confirms breach of DJI Ivanti EPMM server
State Secretary of Justice and Security Van Bruggen confirmed that the Dutch Custodial Institutions Agency (DJI) suffered a breach involving its Ivanti EPMM server. Attackers were found to have maintained access for five months, and exposed data included employee names, email addresses, phone numbers, and location data.
Germany's BSI warns of active zero-day attacks on Ivanti EPMM
Germany's Federal Office for Information Security (BSI) issued a cyber warning stating that active attacks exploiting Ivanti EPMM zero-day vulnerabilities had been observed. The alert reflected escalating official concern over ongoing exploitation.
Incident responders confirm automated data exfiltration in an EPMM breach
In one investigated compromise, an incident response team confirmed attackers used a fully automated and carefully prepared attack chain to exfiltrate sensitive EPMM data. The report also noted lesser-known technical details and a link to an open-source offensive framework.
Mass exploitation of Ivanti EPMM begins
After the proof-of-concept became public, attackers began broad exploitation of vulnerable Ivanti EPMM systems. Reporting described both opportunistic actors and more targeted operators pursuing specific objectives, including governments and other organizations.
Proof-of-concept exploit for the EPMM flaws is published
A proof-of-concept exploit for the two critical Ivanti EPMM remote code execution vulnerabilities was published in late January 2026. Subsequent reporting tied this release to a rapid increase in attacker activity.
Ivanti warns of two zero-day EPMM vulnerabilities under active exploitation
Ivanti published a security advisory for Ivanti Endpoint Manager Mobile covering CVE-2026-1281 and CVE-2026-1340, warning that the flaws were being exploited as zero-days. This marked the public disclosure of the two critical EPMM issues.
Ivanti releases patch for CVE-2023-35082 in EPMM 11.11.0.0
Ivanti said CVE-2023-35082 was patched in EPMM version 11.11.0.0 and recommended network mitigations such as restricting exposed ports because exploitation was possible over HTTP but not HTTPS. The company also noted some customers were exploited after Rapid7 publicly disclosed details and that additional exploitation paths depended on appliance configuration.
Ivanti discloses CVE-2023-35082 in EPMM and MobileIron Core
Ivanti disclosed the remote unauthenticated API access vulnerability CVE-2023-35082 affecting Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, 11.8 and MobileIron Core 11.7 and below. The flaw could let an internet-facing unauthenticated attacker access users’ personally identifiable information and make limited server changes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Security Advisory Ivanti Endpoint Manager (EPM) May 2026
forums.ivanti.com
Open sourceIvanti Hack at Dutch Custodial Agency Under Investigation - Cyberwarzone
cyberwarzone.com
Open sourceIvanti EPMM Exploitation: Hit-and-Run | WithSecure™ Labs
labs.withsecure.com
Open sourceBSI - Bundesamt für Sicherheit in der Informationstechnik - Version 1.3: Ivanti EPMM - Aktive Angriffe über Zero-Day Schwachstellen beobachtet
bsi.bund.de
Open sourceIvanti warns of two EPMM flaws exploited in zero-day attacks
hendryadrian.com
Open sourceSecurity Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340)
forums.ivanti.com
Open sourceKB - Remote Unauthenticated API Access Vulnerability CVE-2023-35082
forums.ivanti.com
Open sourceIvanti EPMM Exploitation: Hit-and-Run - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti EPMM Zero-Day CVE-2026-6973 Exploited via Stolen Admin Credentials
Ivanti disclosed active exploitation of **CVE-2026-6973**, a high-severity improper input validation flaw in on-premises **Endpoint Manager Mobile (EPMM)** that allows remote code execution when used with administrator authentication. The company said exploitation has been limited to a small number of customers and assessed with high confidence that attackers are using administrator credentials stolen during earlier January attacks involving **CVE-2026-1281** and **CVE-2026-1340**. Affected versions are EPMM releases prior to **12.6.1.1**, **12.7.0.1**, and **12.8.0.1**; Ivanti said **Neurons for MDM**, **EPM**, **Sentry**, and other products are not affected. Ivanti also patched four additional high-severity EPMM flaws—**CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**—covering certificate validation and access-control weaknesses that could enable host impersonation, unauthorized access, arbitrary method invocation, and unauthorized device enrollment, though the vendor said it has no evidence those bugs were exploited. **CISA** added CVE-2026-6973 to its **Known Exploited Vulnerabilities** catalog and ordered U.S. federal agencies to remediate by **May 10, 2026**, while national cyber agencies in Canada and Finland urged immediate patching. Ivanti advised customers to rotate EPMM administrator credentials, review privileged accounts, hunt for compromise artifacts such as webshells and reverse shells, and reduce public exposure of management interfaces; internet scans have identified more than **850** exposed EPMM instances, mainly in Europe and North America.
May 10, 2026
Critical Ivanti EPMM RCE Flaws Exploited to Compromise On-Premises Servers
Ivanti warned that its on-premises **Endpoint Manager Mobile (EPMM)** product contains two critical vulnerabilities, **`CVE-2026-1281`** and **`CVE-2026-1340`**, that can let an unauthenticated remote attacker execute arbitrary commands or code over the network. The flaws affect exposed EPMM servers and create a path to full server compromise and possible lateral movement into internal environments. Ivanti said its cloud offerings, including **Ivanti Neurons for MDM**, and the separate **Ivanti Endpoint Manager (EPM)** product are not affected, and it released patches, incident-response guidance, and a detection tool to help customers assess exposure and compromise. Follow-up advisories said the vulnerabilities are being **actively exploited**, prompting defenders to inspect EPMM systems for anomalous logs, unauthorized administrator-account changes, and suspicious device-configuration modifications. A later update citing Germany's **BSI** said exploitation may date back to **summer 2025**, expanding the scope of required forensic review beyond recent activity. Public reporting from security researchers, including Palo Alto Networks Unit 42 and vulnerability tracking sources, reinforced that the issue is an unauthenticated remote code execution risk requiring immediate patching and retrospective compromise hunting on affected on-premises deployments.
May 25, 2026
Ivanti EPMM Zero-Day RCE via CVE-2026-1281 and CVE-2026-1340
Ivanti disclosed two **critical, actively exploited** Ivanti Endpoint Manager Mobile (*EPMM*) vulnerabilities—**CVE-2026-1281** and **CVE-2026-1340**—described as unauthenticated code-injection issues enabling **remote code execution (RCE)** with a **CVSS 9.8** rating. Ivanti reported exploitation affecting a *very limited number* of customers at disclosure and warned that successful compromise of the EPMM appliance could expose sensitive data stored in the platform (e.g., admin/user details and managed-device metadata such as phone numbers, IPs, installed apps, and identifiers like IMEI/MAC), and potentially allow attackers to change device configurations via the API or web console, including authentication-related settings. Guidance from national cybersecurity authorities emphasized that EPMM’s role in mobile device management can make it a pivot point into internal environments, potentially enabling lateral movement if the appliance is compromised. Affected versions include EPMM **12.5.x, 12.6.x, and 12.7.x** (including **12.5.1.0** and **12.6.1.0** and earlier as specified), while Ivanti’s cloud offerings (e.g., *Ivanti Neurons for MDM*) and *Ivanti Endpoint Manager (EPM)* are not impacted. Ivanti provided interim mitigations/hotfixes (RPM-based) with the caveat that hotfixes may need reapplication after upgrades, and indicated a permanent fix is expected in **EPMM 12.8.0.0**; organizations were advised to patch immediately and review appliances for compromise indicators such as anomalous logs and unexpected admin/configuration changes.
May 7, 2026