Massive Surge in Exploitation Attempts Targeting Ivanti EPMM Zero-Day Vulnerability
In early February 2026, cybersecurity researchers observed an unprecedented spike in exploitation attempts targeting a critical zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-1281. This flaw, carrying a CVSS severity score of 9.8, allows unauthenticated attackers to execute arbitrary code remotely on vulnerable systems.
On February 9, 2026, the Shadowserver Foundation reported over 28,300 unique source IP addresses attempting to exploit this vulnerability, marking one of the largest coordinated attack campaigns against enterprise mobile management infrastructure to date. The majority of these attempts originated from the United States, accounting for approximately 72% of the observed attack sources. Other significant sources included the United Kingdom and Russia, with additional activity from countries such as Iraq, Spain, Poland, France, Italy, Germany, and Ukraine.
Understanding CVE-2026-1281
CVE-2026-1281 is a pre-authentication code injection vulnerability stemming from improper input sanitization in a Bash handler at the `/mifs/c/appstore/fob/` endpoint of Ivanti’s EPMM. This flaw enables attackers to inject malicious payloads via URL parameters, leading to the execution of arbitrary commands as the web server user. The vulnerability affects multiple versions of EPMM, including 12.5.0.0, 12.6.0.0, and 12.7.0.0.
Coordinated Attack Campaigns
Security researchers from GreyNoise and Defused have identified a sophisticated component to this exploitation wave: a suspected initial access broker deploying sleeper webshells on compromised EPMM instances. Over 80% of exploitation activity has been traced to a single IP address operating behind bulletproof hosting infrastructure, suggesting a highly coordinated operation designed to establish persistent access for follow-on exploitation by other threat actors. This delayed-activation approach differs significantly from typical opportunistic attacks, as the backdoors remain dormant until activated for specific operations.
Given that EPMM manages mobile devices, applications, and content across enterprise environments, successful exploitation provides attackers with extensive control over corporate mobile infrastructure. This includes the ability to deploy additional payloads to managed devices and facilitate lateral movement within targeted networks.
Ivanti’s Response and Mitigation Measures
Ivanti first disclosed CVE-2026-1281 alongside CVE-2026-1340 on January 29, 2026, acknowledging limited in-the-wild exploitation against customer environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog with an unprecedented three-day remediation deadline, underscoring the severity of the threat.
Ivanti has released temporary RPM patches for affected versions, with a permanent fix scheduled for version 12.8.0.0 in Q1 2026. Organizations are strongly encouraged to apply these patches immediately, monitor for indicators of compromise, including unexpected webshell artifacts, and review access logs for signs of unauthorized activity.
Broader Implications and Recommendations
The massive scale and coordination of these exploitation attempts highlight the evolving sophistication of cyber threat actors and the critical importance of timely vulnerability management. Organizations utilizing Ivanti’s EPMM should prioritize the following actions:
1. Immediate Patch Application: Apply the latest patches provided by Ivanti to mitigate the vulnerabilities.
2. Enhanced Monitoring: Implement continuous monitoring of EPMM instances for unusual activity, such as unexpected webshell artifacts or unauthorized access attempts.
3. Access Log Review: Regularly review access logs for signs of exploitation or unauthorized access.
4. Network Segmentation: Ensure that EPMM instances are appropriately segmented from critical network resources to limit potential lateral movement by attackers.
5. User Education: Educate employees about the risks associated with phishing and social engineering attacks, which may be used in conjunction with technical exploits.
By taking these proactive measures, organizations can enhance their resilience against the exploitation of vulnerabilities like CVE-2026-1281 and protect their critical mobile management infrastructure from sophisticated cyber threats.
