Search

Critical Ivanti EPMM Vulnerabilities Lead to Fast-Moving Exploitation Attempts

Cyber threats and incidents
By Evan Rowe

Related

Cyber threats and incidents

Conduent Data Breach Balloons, Affecting Millions More Americans

What happened A ransomware attack on government technology contractor Conduent...
Read more
Cyber threats and incidents

Leaked Technical Documents Show China Rehearsing Cyberattacks on Neighbors’ Critical Infrastructure

What happened Leaked internal technical documents indicate that China has...
Read more
Cyber threats and incidents

Critical Ivanti EPMM Vulnerabilities Lead to Fast-Moving Exploitation Attempts

What happened Two critical vulnerabilities in Ivanti Endpoint Manager Mobile...
Read more
Cyber threats and incidents

Guloader Uses Polymorphic Code and Trusted Cloud Hosting in Recent Campaigns

What happened Researchers at Zscaler have identified new activity involving...
Read more
Cyber threats and incidents

Loxam Reports Data Breach Involving Third-Party Software System

What happened Equipment rental company Loxam reported that customer data...
Read more

Share

What happened

Two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited by threat actors, causing security teams to scramble to patch vulnerable systems. According to the report, Ivanti acknowledged that a “very limited number” of customers had already experienced exploitation before the issues were publicly disclosed, and security researchers warned that initial activity appeared highly targeted rather than random. The organization Rapid7’s senior principal security researcher, Stephen Fewer, said evidence points to deliberate attacks against exposed EPMM instances. Researchers from the Shadowserver Foundation reported a spike in exploitation attempts against CVE-2026-1281, with traffic detected from multiple source IP addresses and more than 1,400 potentially vulnerable instances of Ivanti EPMM still reachable on the internet. Post-compromise activity observed by analysts included attempts to establish reverse shells or callbacks and deployment of backdoor web shells on affected systems. Ivanti issued security updates to address the flaws and urged customers to apply the patches as soon as possible. 

Who is affected

Organisations running vulnerable instances of Ivanti Endpoint Manager Mobile (EPMM) that are exposed to untrusted networks are affected, as attackers are actively exploiting the flaws to execute callbacks, set up reverse shells, and deploy web shells against compromised systems. 

Why CISOs should care

Active exploitation of critical vulnerabilities in a mobile device management platform used to enforce security policies and manage endpoints underscores the risk to enterprise systems, where compromised management infrastructure can lead to broader control over connected devices and access vectors. 

3 practical actions

  • Apply Ivanti patches immediately. Update EPMM installations to the fixed versions to remediate the exploited vulnerabilities. 
  • Audit exposed instances. Identify and isolate publicly reachable EPMM systems to reduce exploitation risk. 
  • Monitor post-exploit indicators. Review logs for reverse shell activity, web shell deployment, and unusual callbacks on EPMM infrastructure.
Previous article
Guloader Uses Polymorphic Code and Trusted Cloud Hosting in Recent Campaigns
Next article
Leaked Technical Documents Show China Rehearsing Cyberattacks on Neighbors’ Critical Infrastructure
Cyber threats and incidents

Conduent Data Breach Balloons, Affecting Millions More Americans

What happened A ransomware attack on government technology contractor Conduent...
Cyber threats and incidents

Leaked Technical Documents Show China Rehearsing Cyberattacks on Neighbors’ Critical Infrastructure

What happened Leaked internal technical documents indicate that China has...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.