What happened
Two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited by threat actors, causing security teams to scramble to patch vulnerable systems. According to the report, Ivanti acknowledged that a “very limited number” of customers had already experienced exploitation before the issues were publicly disclosed, and security researchers warned that initial activity appeared highly targeted rather than random. The organization Rapid7’s senior principal security researcher, Stephen Fewer, said evidence points to deliberate attacks against exposed EPMM instances. Researchers from the Shadowserver Foundation reported a spike in exploitation attempts against CVE-2026-1281, with traffic detected from multiple source IP addresses and more than 1,400 potentially vulnerable instances of Ivanti EPMM still reachable on the internet. Post-compromise activity observed by analysts included attempts to establish reverse shells or callbacks and deployment of backdoor web shells on affected systems. Ivanti issued security updates to address the flaws and urged customers to apply the patches as soon as possible.
Who is affected
Organisations running vulnerable instances of Ivanti Endpoint Manager Mobile (EPMM) that are exposed to untrusted networks are affected, as attackers are actively exploiting the flaws to execute callbacks, set up reverse shells, and deploy web shells against compromised systems.
Why CISOs should care
Active exploitation of critical vulnerabilities in a mobile device management platform used to enforce security policies and manage endpoints underscores the risk to enterprise systems, where compromised management infrastructure can lead to broader control over connected devices and access vectors.
3 practical actions
- Apply Ivanti patches immediately. Update EPMM installations to the fixed versions to remediate the exploited vulnerabilities.
- Audit exposed instances. Identify and isolate publicly reachable EPMM systems to reduce exploitation risk.
- Monitor post-exploit indicators. Review logs for reverse shell activity, web shell deployment, and unusual callbacks on EPMM infrastructure.