What happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors are deploying a malware variant known as RESURGE against vulnerable Ivanti Endpoint Manager Mobile (EPMM) devices, where the malware can lay dormant for weeks before activating to execute commands and facilitate broader compromise. The advisory noted that adversaries have exploited critical EPMM vulnerabilities including CVE-2026-1281 and CVE-2026-24061 to initially access systems, then install RESURGE components that await specific triggers before conducting malicious activity such as downloading additional payloads, establishing persistence, and evading detection. CISA added the vulnerabilities and abuse techniques to its Known Exploited Vulnerabilities catalog and highlighted that RESURGE’s delayed activation behavior makes it harder to detect and remediate in enterprise environments.
Who is affected
Organizations running vulnerable versions of Ivanti Endpoint Manager Mobile (EPMM) are affected, as attackers can exploit known critical flaws to install dormant RESURGE malware that may activate later to execute further malicious actions.
Why CISOs should care
The warning illustrates how malware can lie dormant on enterprise management infrastructure, complicating detection and enabling threat actors to extend their foothold before carrying out additional operations.
3 practical actions
- Apply Ivanti EPMM patches immediately. Update to fixed versions that address critical vulnerabilities exploited to install RESURGE.
- Audit device management telemetry. Look for indicators of dormant malware and unusual callbacks before activation.
- Monitor for activation triggers. Detect anomalous behavior or scheduled tasks that could indicate RESURGE activation attempts.
Check out more malware news and analysis.