Researchers Warn of ‘Widespread’ Ivanti EPMM Exploitation 

Researchers are warning of an increase in exploitation against two critical flaws in Ivanti Endpoint Manager Mobile product, three weeks after the unauthenticated remote code execution vulnerabilities were first disclosed. 

Palo Alto Networks’ Unit 42 team said they have seen the exploitation affecting a wide array of companies across the U.S., Germany, Australia, and Canada. Impacted organizations are in the state and local government, healthcare, manufacturing, professional services, and technology industries.

“Threat actors are accelerating operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply patches,” according to Unit 42 researchers in a Wednesday analysis. 

The vulnerabilities (CVE-2026-1281 and CVE-2026-1340) are rated 9.8 out of 10 on the CVSS scale and are tied to a code injection flaw in the EPMM mobile device management solution. Ivanti released RPM scripts in January to mitigate the flaw. 

“We are aware of a very limited number of customers who have been exploited at the time of disclosure,” according to Ivanti’s security advisory. “However, a POC was made available by a third party shortly after disclosure. We urge all customers to apply the patch as soon as possible and run the Exploitation Detection RPM package as a tool to assist in identifying potential compromise.”

Researchers with Unit 42 said they’ve seen threat actors use various TTPs across the “widespread and mostly automated” exploitation activity. This has included campaigns that establish reverse shells, install web shells, conduct reconnaissance, and download malware.

In some incidents attackers tried to sidestep authentication and run a second stage payload, which then would install web shells, cryptominers, or backdoors, giving the threat actor control of the appliance. Researchers also saw threat actors downloading Nezha in attacks, which is an open-source server monitoring tool. 

“We also observed attackers issue sleep commands in attempts to determine whether the server targeted was vulnerable to exploitation,” said researchers. “This is a simple method of testing if the server will pause for five seconds. If the connection hangs for exactly five seconds before returning an error (e.g., a 404 error), the attacker knows they have achieved RCE and will follow up immediately with malicious payloads.”

Both security researchers and Ivanti said customers should immediately apply patches and review their appliances for signs of exploitation. 

“Applying the patch is the most effective way to prevent exploitation, regardless of how IOCs change over time, especially once a POC is available,” according to Unit 42 researchers. “The patch requires no downtime and takes only seconds to apply.”