Security teams are scrambling Tuesday as two critical vulnerabilities in Ivanti Endpoint Manager Mobile are facing exploitation attempts.
Ivanti issued advisories Thursday for the code injection flaws, which impact the on-premises version of Ivanti EPMM. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, allow an attacker to achieve remote code execution if successfully exploited. The flaws have a severity score of 9.8.
Ivanti said it was aware of a “very limited number of customers” that had already faced exploitation activity at the time of disclosure, according to a blog post from the company.
It is not immediately known how long the vulnerabilities were being targeted. Stephen Fewer, senior principal security researcher at Rapid7, said the available evidence points to targeted, deliberate attacks by the threat actor and not a random or opportunistic threat.
“This is in line with a highly targeted attack, whereby the threat actor seeks to compromise one or more specific organizations,” Fewer told Cybersecurity Dive. “We can note that, back in 2023, the Norwegian Security and Service Organization (DSS) was compromised by an unknown threat actor using a zero day against EPMM in a highly targeted attack.”
The Cybersecurity and Infrastructure Security Agency immediately added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog. The agency set an unusually short deadline for federal agencies to mitigate the threat by this past Sunday, Feb. 1.
Ivanti EPMM is a widely used tool in the workplace, as it helps IT administrators to manage a range of mobile devices across various operating systems.
On Saturday, researchers from the Shadowserver Foundation reported a spike in exploitation attempts against CVE-2026-1281. It noted that threat activity was detected from 13 source IPs and that 1,600 instances were exposed worldwide.
As of Tuesday, exposure has dropped to 1,400, but threat activities were still ongoing, “which include attempts to execute callbacks or set up reverse shells,” Shadowserver CEO Piotr Kijewski told Cybersecurity Dive.
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, confirmed that the initial threat activity appears to have been highly targeted. Post-compromise activity includes deployment of backdoor web shells and broad probing for vulnerable systems.
The Health Information Sharing and Analysis Center has identified a small number of organizations with potential exposure and has sent them targeted information with mitigation guidance, according to chief security officer Errol Weiss.
“This vulnerability is actively being exploited, and any organization using Ivanti EPMM should treat it as a high-priority patch and monitor it closely,” Weiss told Cybersecurity Dive. “Even when exposure is narrow, the systems involved are often critical to enterprise operations, so rapid remediation and heightened vigilance are essential.”
Ivanti urged users to install a temporary patch, but warned the fix will not survive a version upgrade and will then need to be reinstalled. A permanent fix is under development and will be made available in the next product release 12.8.0.0, Ivanti said in the advisory.