Attackers exploit Ivanti EPMM zero-days to seize control of MDM servers
Summary
Attackers are actively exploiting two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, in Ivanti's Endpoint Manager Mobile (EPMM) to remotely execute arbitrary code and gain unauthenticated control of enterprise mobile device management infrastructure. These vulnerabilities allow attackers to install backdoors that persist even after patches are applied, impacting mobile fleets and corporate networks.
IFF Assessment
Exploitation of zero-day vulnerabilities in a mobile device management platform can lead to widespread compromise of mobile devices and corporate networks.
Severity
Defender Context
Defenders need to ensure that they have applied the emergency patches released by Ivanti to mitigate these vulnerabilities. They should also monitor for signs of compromise, such as unauthorized access to mobile device management infrastructure or unexpected changes to device policies. Given the persistence mechanisms attackers are using, thorough investigation and remediation steps are critical.