Massive Spike in Attacks Exploiting Ivanti EPMM Systems 0-day Vulnerability - CyberSecurityNews

Home Cyber Security Massive Spike in Attacks Exploiting Ivanti EPMM Systems 0-day Vulnerability Ivanti EPMM 0-day Vulnerability Exploited An unprecedented surge in exploitation attempts targeting CVE-2026-1281, a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM). On February 9, 2026, Shadowserver scans revealed over 28,300 unique source IP addresses attempting to exploit the flaw, marking one of the largest coordinated attack campaigns observed against enterprise mobile management infrastructure this year. CVE-2026-1281 is a pre-authentication code injection vulnerability with a CVSS score of 9.8 that allows attackers to achieve unauthenticated remote code execution on vulnerable EPMM instances. The vulnerability stems from improper input sanitization in a Bash handler at the /mifs/c/appstore/fob/ endpoint, enabling attackers to inject malicious payloads via URL parameters and execute arbitrary commands as the web server user. Analysis of the attacking infrastructure reveals a heavily concentrated geographic distribution, with the United States accounting for approximately 20,400 IP addresses representing 72% of all observed attack sources. The United Kingdom ranks second with 3,800 source IPs, while Russia follows with 1,900 addresses. Additional significant attack activity originated from networks in Iraq, Spain, Poland, France, Italy, Germany, and Ukraine, though at substantially lower volumes. Coordinated Cyber Attack Campaign Security researchers from GreyNoise and Defused have identified a sophisticated component to this exploitation wave: a suspected initial access broker has been deploying “sleeper” webshells on compromised EPMM instances. Over 80% of exploitation activity has been traced to a single IP address operating behind bulletproof hosting infrastructure, suggesting a highly coordinated operation designed to establish persistent access for follow-on exploitation by other threat actors. This delayed-activation approach differs significantly from typical opportunistic attacks, as the backdoors remain dormant until activated for specific operations. Given that EPMM manages mobile devices, applications, and content across enterprise environments, successful exploitation provides attackers with extensive control over corporate mobile infrastructure, including the ability to deploy additional payloads to managed devices and facilitate lateral movement within targeted networks. Ivanti first disclosed CVE-2026-1281 alongside CVE-2026-1340 on January 29, 2026, acknowledging limited in-the-wild exploitation against customer environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog with an unprecedented three-day remediation deadline, underscoring the severity of the threat. The Shadowserver Foundation is actively sharing attacker IP data through their honeypot HTTP scanner events reporting system, with vulnerability_id filtered to CVE-2026-1281. MASSIVE INCREASE IN SOURCES ATTEMPTING IVANTI EPMM CVE-2026-1281 EXPLOITATION, WITH OVER 28.3K SOURCE IPS SEEN ON 2026-02-09. IP DATA ON ATTACKERS SHARED IN OUR HTTPS://T.CO/0NP5Z67QM5 (WITH VULNERABILITY_ID SET TO CVE-2026-1281). 20.4K IPS SEEN FROM US NETWORKS. HTTPS://T.CO/6XFUAUFJ8Y PIC.TWITTER.COM/LTRVFIUYHC — The Shadowserver Foundation (@Shadowserver) February 10, 2026 Organizations can access this threat intelligence at shadowserver.org to identify and block malicious source addresses attempting exploitation against their infrastructure. Ivanti has released temporary RPM patches for affected versions, with a permanent fix scheduled for version 12.8.0.0 in Q1 2026. Security teams managing EPMM deployments should immediately apply available patches, monitor for indicators of compromise, including unexpected webshell artifacts, and review access logs for suspicious requests to the vulnerable endpoint. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Current Cyber Security News 10 Best Fraud Detection Tools in 2026 Cyber Security News Microsoft Issues Critical WinRE and Setup Updates Ahead of 2026 Secure Boot Certificate Expiration Cyber Attack News Hackers Probe Citrix NetScaler Instances Ahead of Likely CVE-2026-3055 Exploitation Top 10 10 Best Fraud Detection Tools in 2026 March 30, 2026 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026