Table of Contents
Is your network vulnerable to the critical Ivanti EPMM remote code execution zero-day?
Recent attacks on high-profile European government entities underscore the severity of new security flaws in Ivanti Endpoint Manager Mobile (EPMM). Security teams must address these critical vulnerabilities immediately to prevent unauthorized network access and data theft.
Critical Vulnerability Details
Ivanti disclosed CVE-2026-1281 on January 29, 2026. This vulnerability affects the EPMM mobile device management solution and carries a critical CVSS score of 9.8. The flaw involves code injection that enables attackers to execute commands remotely without authentication.
Attackers use specially crafted HTTP requests to bypass security controls. This access allows them to compromise the appliance fully, steal data from managed mobile devices, or move laterally into the broader corporate network. A second vulnerability, CVE-2026-1340, was also identified and poses similar risks of remote code execution.
Government Agency Breaches
These zero-day vulnerabilities facilitated successful cyberattacks against major European institutions in early 2026. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed that attackers accessed their systems using these exploits. This breach compromised the personal data of employees, including names, emails, and phone numbers.
The European Commission also detected a cyberattack on its central mobile device management infrastructure on January 30, 2026. IT teams contained the incident within nine hours. Preliminary investigations suggest that while employee contact details were exposed, the attackers did not successfully compromise the actual mobile devices.
Active Exploitation Warnings
The Shadowserver Foundation reports finding compromised Ivanti EPMM instances globally. Their analysis indicates that attackers installed web shells on these systems to maintain persistent access.
The German Federal Office for Information Security (BSI) issued a warning on February 9, 2026, highlighting the active exploitation of these zero-day flaws. The BSI emphasized that attackers use these appliances not just for data theft but as a gateway to penetrate deeper into connected networks.
Recommended Remediation
Organizations utilizing Ivanti EPMM must apply the available security updates immediately. Ivanti released patches for both CVE-2026-1281 and CVE-2026-1340 alongside the disclosure.
Administrators should verify their systems for signs of compromise using the indicators provided in the security advisory. If patching is not immediately possible, restrict public access to the management interface, although applying the vendor patch remains the only definitive solution.