Security researchers are warning of widespread exploitation targeting a severe remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM). The flaw, identified as CVE-2026-1281, allows attackers to take control of vulnerable systems without authentication and is already being used in real-world attacks.
Threat intelligence data indicates that a large portion of malicious activity is originating from one primary source, raising concerns about coordinated automated exploitation.
⚠️ Two High-Severity Flaws Enable Full System Takeover
CVE-2026-1281 carries a critical severity rating and stems from improper handling of input in backend scripts, allowing attackers to run arbitrary system commands remotely. A second vulnerability, CVE-2026-1340, exposes a similar weakness in another component of the platform.
Together, these flaws can give attackers deep control over affected servers, potentially allowing data theft, service disruption, or deployment of additional malware.
Ivanti issued security guidance in late January, and U.S. federal cybersecurity authorities quickly flagged the vulnerability as actively exploited in the wild.
🌍 Confirmed Breaches Show Real-World Impact
Authorities in Europe have reported successful intrusions linked to these vulnerabilities, including attacks against government institutions responsible for data protection and judicial administration. Evidence suggests that exploitation began before many organizations had applied patches.
Security monitoring during the first week of February revealed hundreds of exploitation attempts from multiple sources, with activity peaking dramatically on a single day.
🛰️ One Infrastructure Appears to Drive Most Attacks
Analysis shows that the majority of malicious traffic can be traced to a single IP address associated with hosting infrastructure known for tolerating abusive activity. Investigators believe the attacker is using automation tools to scan for vulnerable systems at scale.
The same infrastructure has also been linked to attacks against other enterprise software products, indicating a broader campaign rather than a single-target operation.
To avoid detection, the attacker rotates numerous browser identifiers and request patterns, making the activity appear less uniform.
🧩 Gaps in Early Threat Indicators
Some defensive measures may have missed the main threat because early indicators of compromise did not include the most active attack source. In contrast, other flagged IP addresses generated heavy traffic but showed no signs of targeting Ivanti systems.
Organizations that relied solely on incomplete blocklists could therefore remain exposed.
📡 DNS Callbacks Used to Confirm Exploitation
Instead of immediately deploying malware, many attack attempts used DNS queries to verify whether code execution was successful. This technique is commonly employed by initial access brokers, who specialize in breaching systems and later selling access to other threat actors.
Once access is confirmed, attackers can decide whether to deploy additional tools or maintain covert persistence.
🕵️ Hidden Backdoors May Remain After Patching
Investigators have also identified dormant webshells placed on compromised servers. These hidden backdoors can remain inactive until triggered, meaning that even patched systems may still be at risk if attackers gained entry earlier.
Such “sleeper” implants allow adversaries to return later without launching new exploitation attempts.
🛡️ What Organizations Should Do Now
Security experts recommend urgent action for any organization running Ivanti EPMM:
- Apply all available security updates immediately
- Check systems for signs of unauthorized access
- Review logs for unusual activity or DNS requests
- Remove any suspicious files or persistence mechanisms
- Implement network monitoring for abnormal outbound connections
🔎 Bottom Line
The Ivanti EPMM vulnerabilities represent a serious threat to enterprise environments, especially those managing mobile devices at scale. With automated attacks already underway and evidence of stealthy persistence mechanisms, simply installing patches may not be enough.
Organizations should treat this incident as a potential breach scenario and conduct thorough investigations to ensure systems are fully secure.