Critical Ivanti EPMM Vulnerabilities Under Attack: Global Surge in Exploitation
Global Surge in Attacks on Ivanti Endpoint Mobile Manager
A surge in attacks targeting two critical vulnerabilities in Ivanti Endpoint Mobile Manager (EPMM) has been observed globally, with threat actors exploiting the flaws to gain remote code execution (RCE) capabilities.
The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, have been used to establish reverse shells, install web shells, and conduct reconnaissance on a broad range of industries in the US, Germany, Australia, and Canada.
According to researchers at Palo Alto Networks’ Unit 42, the attackers have accelerated their operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply patches.
The researchers identified over 4,400 EPMM instances in their telemetry, highlighting the scope of the issue.
Vulnerability Disclosure and Exploitation
The vulnerabilities were first disclosed in January, with CVE-2026-1281 added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on January 28.
“This gives attackers six months of access before disclosure,” said Michael Bell, CEO at Suzu Labs. “Patching doesn’t evict someone who’s already inside, so organizations need to check their logs back to July 2025.”
Bell emphasized the importance of architecting around the assumption that edge appliances will have critical vulnerabilities, regardless of the vendor, and segmenting accordingly.
Attackers’ Tactics and Recommendations
Randolph Barr, CISO at Cequence Security, noted that the attackers are shifting from initial exploitation to persistence, deploying web shells, reverse shells, and legitimate open-source tools like the Nezha monitoring agent as backdoors. “Nezha isn’t malware by design, but when installed post-compromise, it provides low-visibility, long-term remote control that can survive superficial patching,” said Barr.
Damon Small, a board member at Xcape, Inc., highlighted the alarming aspect of skilled adversaries evading detection for long periods, gathering information, and planning for future attacks.
For organizations using Ivanti products, experts recommend immediate patching, followed by a thorough compromise assessment, credential resets, log examination, and consideration of rebuilding affected devices from scratch.
Network segmentation and more robust access controls can also help mitigate the impact of future vulnerabilities.
Conclusion
The exploitation of these vulnerabilities serves as a reminder of the importance of prioritizing vulnerability management and patching, as well as the need for a proactive approach to security.
As Bell noted, “Organizations running any edge appliance should architect around the assumption that these products will have critical vulnerabilities again, regardless of vendor, and segment accordingly.”
About Author
English