Exploitation of two recently patched Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, which had been zero-days, has surged, Palo Alto Networks warned this week.
The critical vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, can be exploited by remote, unauthenticated attackers to execute arbitrary code on target servers and gain complete control of the targeted mobile device management (MDM) infrastructure.
The security holes were patched by Ivanti in late January, when the vendor notified users that it had been aware of zero-day attacks aimed at “a very limited number of customers”.
Widespread exploitation of CVE-2026-1281 and CVE-2026-1340 started soon after disclosure and Palo Alto Networks has been seeing a wide range of attacks.
In a blog post dated February 17, the security firm reported that threat actors have been exploiting the vulnerabilities to download malware on compromised Ivanti platforms, including web shells, cryptocurrency miners, and a persistent backdoor.
Palo Alto has also observed attackers deploying the Nezha open source monitoring utility (recently leveraged in China-linked malicious activity), executing reverse shells, and conducting reconnaissance.
There do not appear to be any public reports describing the exploitation of CVE-2026-1281 and CVE-2026-1340 as zero-days.
However, Germany’s national cybersecurity agency BSI has reported evidence of exploitation since the summer of 2025 and has urged organizations to check their systems for indicators of compromise (IoCs) as far back as July 2025.
It’s not uncommon for threat actors to exploit vulnerabilities in Ivanti products, including zero-days. CISA’s Known Exploited Vulnerabilities (KEV) catalog currently includes more than 30 Ivanti flaws.
Some of the most significant attacks have been linked to Chinese state-sponsored cyberespionage groups.
UPDATE: Ivanti has provided the following statement to SecurityWeek:
Ivanti’s recommendation remains the same: customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching. Applying the patch is the most effective way to prevent exploitation, regardless of how IOCs change over time, especially once a POC is available. The patch requires no downtime and takes only seconds to apply.
Ivanti has provided customers with high fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC NL, and continues to support customers as we respond to this threat.
Related: Ivanti Patches Endpoint Manager Vulnerabilities Disclosed in October 2025
Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’
Related: SmarterTools Hit by Ransomware via Vulnerability in Its Own Product
