Ivanti's Endpoint Manager Mobile software is under active attack from multiple threat groups exploiting two critical zero-day vulnerabilities.
What happened
Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), software that allows administrators to control mobile devices and applications. The vulnerabilities each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely. Ivanti disclosed and patched the defects, warning that a very limited number of customers were attacked before disclosure. The Cybersecurity and Infrastructure Security Agency added CVE-2026-1281 to its known exploited vulnerabilities catalog. According to an Ivanti spokesperson, both defects have been exploited, but they have not been chained together for exploitation. More than 1,400 instances of Ivanti EPMM remain exposed to the internet, though it's unknown how many are vulnerable or already compromised.
The backstory
This marks the latest in a series of security incidents affecting Ivanti products. The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years. Ivanti disclosed a separate pair of vulnerabilities in EPMM in May 2025. Multiple threat groups last year, including some linked to China, exploited other zero-day defects in Ivanti products.
Going deeper
Ivanti, which offers various enterprise products including email solutions, has seen attackers focus on its EPMM software. The vulnerabilities represent code-injection defects that follow a pattern similar to previous EPMM vulnerabilities. The vulnerabilities are difficult to find, but security researchers note that defensive engineering needs to assume attackers will eventually find non-obvious paths. Remotely exploitable vulnerabilities in network edge devices are an effective attack vector for hackers looking to break into targeted networks.
What was said
Ivanti advised all on-premises EPMM customers to apply patches, but warned that the script is temporary and will be overridden when customers upgrade software to a new version. An Ivanti spokesperson said the software packages that address the defects "takes only seconds to apply, does not cause downtime and significantly increases adoption and protection rates for customers." The company said it will release a permanent fix in a future update but did not specify when.
Threat intelligence expert Ryan Dewhurst told CyberScoop that any organization exposing vulnerable instances to the internet must consider them compromised. "It's important to remember that exposure does not equal exploitation," Dewhurst said. "But any organization exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes."
Ivanti's spokesperson said these types of vulnerabilities are difficult to find, and insisted the company's security and engineering teams acted quickly to address the defects once they were identified.
By the numbers
- 2 critical zero-day vulnerabilities actively exploited
- 9.8 CVSS rating for both CVE-2026-1281 and CVE-2026-1340
- 31 Ivanti defects flagged on CISA's known exploited vulnerabilities catalog since late 2021
- 19 defects across Ivanti products exploited in the past two years
- 13 source IPs observed attempting CVE-2026-1281 exploitation by Saturday
- 1,400+ instances of Ivanti EPMM still exposed to the internet
Why it matters
The pattern of zero-day exploitation followed by mass attacks creates a short timeline for defenders to respond, especially considering EPMM's role in managing mobile device access to corporate networks. With more than 1,400 potentially vulnerable instances still exposed and multiple threat groups actively exploiting the vulnerabilities, organizations using Ivanti EPMM face immediate compromise risk. The frequency of Ivanti vulnerabilities means customers must maintain vigilance and deploy patches quickly.
FAQs
How likely is data exfiltration from managed mobile devices themselves?
If EPMM is compromised, attackers may gain indirect access to device credentials, configurations, and enterprise apps.
Does exploiting EPMM allow attackers to bypass mobile device encryption?
Not directly, but control over management policies could weaken security settings or allow for further attacks.
Are there reliable indicators of compromise organizations can monitor for?
Yes, abnormal admin activity, unexpected configuration changes, and suspicious outbound traffic are warning signs.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
