Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, a familiar target in the network edge cybersecurity landscape. These defects allow unauthenticated users to remotely execute code, posing a significant risk to organizations relying on Ivanti for mobile device and application management.
The vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, both carry a severe CVSS rating of 9.8. Ivanti confirmed that a limited number of customers were targeted before the company disclosed and addressed these issues on Thursday. The company did not specify the earliest date of exploitation.
New Ivanti Zero-Days Under Active Exploitation
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its catalog of exploited vulnerabilities. While CVE-2026-1340 has also been exploited, Ivanti stated that the two vulnerabilities have not been chained together for attacks. This pattern of exploitation of Ivanti software vulnerabilities is a recurring concern for its customer base.
These latest code-injection vulnerabilities highlight a renewed focus by attackers on the EPMM product. Ivanti had previously disclosed a separate pair of vulnerabilities in the same product in May 2025, further underscoring the persistent security challenges associated with its offerings.
Pattern of Mass Exploitation
Security researchers have observed a concerning trend where mass exploitation frequently follows the public disclosure of vulnerabilities and the release of exploit code. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, described this arc as “depressingly predictable,” noting the shift from tightly scoped zero-day exploitation to widespread attacks by opportunistic actors.
Shadowserver reported observing a surge in exploitation attempts for CVE-2026-1281 from multiple source IPs shortly after its discovery. Their scans indicated that over 1,400 instances of Ivanti EPMM remain exposed to the internet, although it remains unclear how many of these are vulnerable or have already been compromised.
Organizations exposing vulnerable instances of EPMM to the internet are advised to treat them as compromised and initiate incident response processes. Exposure does not automatically mean exploitation, but it represents a significant risk.
Ivanti’s Response and Remediation
Ivanti has issued a recommendation for all on-premises EPMM customers to apply available patches. However, the company cautioned that the current script-based solution is temporary and may be overwritten during future software upgrades. The company stated that applying these patches takes minimal time, does not cause downtime, and significantly improves customer protection rates.
A permanent fix for these vulnerabilities is slated for inclusion in a future software update. Ivanti has not yet provided a timeline for the release of this update. The nature of these new Ivanti zero-days, where the distinction between attacker input and trusted code is blurred, allows for the execution of malicious payloads.
Remotely exploitable vulnerabilities in network edge devices represent an attractive and effective attack vector for threat actors seeking to infiltrate networks. This is consistent with past incidents where multiple threat groups exploited previous Ivanti EPMM zero-day defects and other vulnerabilities in Ivanti products.
Broader Implications and Future Outlook
The ongoing exploitation of Ivanti vulnerabilities reflects a protracted struggle between the vendor and advanced threat groups, creating a consistent risk for its customers. Some security researchers point to Ivanti itself as a factor in this sustained security problem, while others acknowledge the technical difficulty in discovering these specific types of bugs prior to active exploitation.
The nuances of these defects, which involve indirect paths to code injection, are challenging to identify. However, security teams can leverage the knowledge of these vulnerable code patterns to improve future vulnerability hunting efforts. While the vulnerabilities may have been difficult to detect, defensive engineering practices must anticipate that attackers will eventually discover non-obvious exploitation paths.
Ivanti maintains that its security and engineering teams acted swiftly to address the defects once identified, emphasizing the inherent difficulty in finding such vulnerabilities. Customers are encouraged to apply the provided patches immediately while awaiting the permanent fix. The next expected step is the release of the permanent patch by Ivanti, though uncertainties remain regarding its availability date.