Ivanti’s EPMM is under active attack, thanks to two critical zero-days
Ivanti’s EPMM is under active attack, thanks to two critical zero-days
https://cyberscoop.com/ivanti-endpoint-manager-mobile-zero-day-vulnerabilities-exploit/
Publish Date: 2026-02-03 16:19:00
Source Domain: cyberscoop.com
Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls.
The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti Endpoint Manager Mobile (EPMM). Ivanti did not say when the earliest known date of exploitation occurred but warned that a “very limited number of customers” were attacked before it disclosed and addressed the defects Thursday.
Ivanti’s post-attack warning marks a frequent occurrence for its customers, involving yet again highly destructive defects in its code that attackers exploited before the vendor caught or fixed the errors.
The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years.
The agency added CVE-2026-1281 to the catalog Thursday, but not CVE-2026-1340. Both defects have been exploited, according to watchTowr. Yet, a spokesperson for Ivanti said the vulnerabilities have not been chained together for exploitation.
The latest code-injection vulnerabilities demonstrate attackers are focusing on EPMM in particular of late. Ivanti disclosed a separate pair of vulnerabilities in the same product in May 2025.
Ivanti declined to say how many customers have been impacted by the recent zero-day attacks, but researchers warn a recurring pattern is emerging with mass exploitation observed shortly after public disclosure and the release of exploit code.
“This started as tightly scoped zero-day exploitation,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told CyberScoop. “It has since devolved into global mass exploitation by a wide mix of…
