Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again
Summary
Ivanti disclosed two critical pre-auth remote code execution vulnerabilities in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — each scored 9.8/10 on the CVSS scale on 29 January 2026. Shortly after disclosure a proof-of-concept was published and multiple European government organisations, including the European Commission and agencies in the Netherlands and Finland, reported breaches that exposed staff names, phone numbers and email addresses. CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities list, and scanning and exploitation activity spiked, much of it traced to a single bulletproof-hosted IP address.
Researchers and incident responders warn this is part of a longer trend of attackers targeting edge and perimeter systems — products from multiple vendors have been repeatedly exploited — and urge organisations to treat management infrastructure as Tier-0 assets and assume eventual compromise.
Key Points
- Two critical Ivanti EPMM bugs (CVE-2026-1281, CVE-2026-1340) permit pre-auth remote code execution; both scored 9.8 CVSS.
- PoC exploit disclosure triggered rapid exploitation; several European government agencies were breached days after public disclosure.
- Data exposed included staff names, mobile numbers, email addresses and device metadata — large-scale impact at public-sector organisations.
- CISA added CVE-2026-1281 to its KEV list; Greynoise and Shadowserver observed high-volume scanning and attacks, much tied to a single IP.
- Edge/perimeter devices continue to be high-value targets — vendors such as Fortinet, SonicWall and WatchGuard have faced similar campaigns.
- Experts recommend moving beyond “patch and pray”: minimise public interfaces, enforce pre-auth access controls, limit management-plane reachability and instrument deep telemetry and egress controls.
- Replacing entrenched tooling like Ivanti is hard — large footprints in enterprise environments make rapid rip-outs unrealistic, leaving organisations to harden and monitor what they have.
Why should I read this?
Look — this one matters. If you run mobile device management, manage perimeter services or care about public-sector breaches, this story is a canary in the coal mine. We read the timeline, the PoC fallout and the recommended mitigations so you don’t have to sift through dozens of advisories. Short version: these are serious bugs being actively exploited against high-profile organisations, and the usual patch-and-hope approach won’t cut it.
Context and Relevance
This incident sits squarely inside a rising trend: attackers increasingly target edge and management infrastructure because those systems are powerful, widely deployed and often less monitored. The European Commission’s revised Cybersecurity Act highlights supply-chain and vendor risks — but this episode shows that trusted vendors at home can be just as dangerous when their products are widely adopted and repeatedly found to contain critical flaws.
For security teams, the takeaways are practical: treat centralized management systems as Tier-0, restrict and monitor management-plane access, apply compensating controls where immediate replacement is impractical, and assume compromise so you can detect and contain exploitation quickly.
Author’s take
Punchy and urgent: This is not another far-away bug — it’s a repeat pattern with real fallout for governments and large organisations. If you ignore it, expect noisy scans and possible breaches. If you act, harden the management plane and improve telemetry now.
Source
Source: https://www.darkreading.com/endpoint-security/ivanti-epmm-zero-day-bugs-exploit