"The critical vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, can be exploited by remote, unauthenticated attackers to execute arbitrary code on target servers and gain complete control of the targeted mobile device management (MDM) infrastructure. The security holes were patched by Ivanti in late January, when the vendor notified users that it had been aware of zero-day attacks aimed at "a very limited number of customers". Widespread exploitation of CVE-2026-1281 and CVE-2026-1340 started soon after disclosure and Palo Alto Networks has been seeing a wide range of attacks."
"In a blog post dated February 17, the security firm reported that threat actors have been exploiting the vulnerabilities to download malware on compromised Ivanti platforms, including web shells, cryptocurrency miners, and a persistent backdoor. Palo Alto has also observed attackers deploying the Nezha open source monitoring utility (recently leveraged in China-linked malicious activity), executing reverse shells, and conducting reconnaissance."
Two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2026-1281 and CVE-2026-1340, allow remote unauthenticated attackers to execute arbitrary code on servers and gain full control of MDM infrastructure. Ivanti patched the flaws in late January and noted prior zero-day attacks against a very limited number of customers. Exploitation surged after disclosure, with attackers installing web shells, cryptocurrency miners, persistent backdoors, and using tools like the Nezha monitoring utility. Observed tactics include reverse shells and reconnaissance. Germany's BSI reported exploitation evidence since July 2025 and urged checks for IoCs. CISA's KEV catalog lists more than 30 Ivanti vulnerabilities, some linked to China-aligned espionage.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]