Exploitation of Ivanti EPMM 0-day Vulnerability CVE-2026-1281, a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM), saw an unprecedented spike in exploitation attempts This article explores vulnerability ivanti endpoint. . One of the most extensive coordinated attack campaigns against enterprise mobile management infrastructure this year was detected on February 9, 2026, when Shadowserver scans turned up over 28,300 distinct source IP addresses trying to take advantage of the vulnerability.

With a CVSS score of 9.8, the pre-authentication code injection vulnerability CVE-2026-1281 enables attackers to execute unauthenticated remote code on susceptible EPMM instances. The flaw allows attackers to execute arbitrary commands as the web server user and inject malicious payloads via URL parameters because a Bash handler at the /mifs/c/appstore/fob/ endpoint lacks proper input sanitization.

An examination of the attacking infrastructure shows a highly concentrated geographic distribution, with roughly 20,400 IP addresses from the US accounting for 72% of all attack sources that were observed. With 3,800 source IPs, the UK comes in second, followed by Russia with 1,900 addresses. Though at much lower volumes, networks in Iraq, Spain, Poland, France, Italy, Germany, and Ukraine were the source of additional notable attack activity.

A sophisticated element of this exploitation wave has been discovered by Coordinated Cyber Attack Campaign Security researchers from GreyNoise and Defused: a suspected initial access broker has been installing "sleeper" webshells on compromised EPMM instances.

A single IP address behind bulletproof hosting infrastructure has been linked to over 80% of exploitation activity, indicating a highly coordinated operation intended to create persistent access for subsequent exploitation by other threat actors. The backdoors stay dormant until they are activated for particular operations, which is a significant departure from standard opportunistic attacks. Since EPMM controls mobile devices, apps, and content in business settings, a successful exploitation gives attackers complete control over corporate mobile infrastructure.

This includes the ability to move laterally within targeted networks and send additional payloads to managed devices. On January 29, 2026, Ivanti initially revealed CVE-2026-1281 and CVE-2026-1340, admitting to a small amount of in-the-wild exploitation against customer environments. The U.S.

The seriousness of the threat was highlighted when the Cybersecurity and Infrastructure Security Agency (CISA) promptly added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog with an unprecedented three-day remediation deadline. Via their honeypot HTTP scanner events reporting system, the Shadowserver Foundation is actively sharing attacker IP data, filtering vulnerability_id to CVE-2026-1281. To find and stop malicious source addresses trying to exploit their infrastructure, organizations can access this threat intelligence at shadowserver.org.

For the impacted versions, Ivanti has issued temporary RPM patches; a permanent fix is planned for version 12.8.0.0 in Q1 2026. Security teams in charge of EPMM deployments should install available patches right away, keep an eye out for telltale signs of compromise, such as unexpected webshell artifacts, and examine access logs for unusual requests made to the compromised endpoint.

X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.