Vulnerability Campaign Exploitation Wave Incident Security Patch Release

Ivanti Endpoint Manager Mobile zero-day exploitation, European government breaches, and concentrated attack wave

Updated 08.04.2026 21:15

Case score 71

Case score 71 Members 5 Latest activity 08.04.2026 21:15 Active exploitation KEV: CISA KEV Patch available Permanent fix: EPMM 12.8.0.0 planned

Active exploitation KEV: CISA KEV Patch available Permanent fix: EPMM 12.8.0.0 planned

Members 5 First seen 30.01.2026 06:43 Last seen 12.02.2026 09:32 Updated 08.04.2026 21:15

Overview

**Ivanti Endpoint Manager Mobile (EPMM)** remains under active zero-day exploitation for **CVE-2026-1281** and **CVE-2026-1340**, two critical code-injection flaws that allow unauthenticated remote code execution. A concentrated February exploitation wave later logged **417 sessions** from eight source IPs, and Shadowserver tracked a more voluminous Feb. 9 burst against European government targets. Confirmed fallout reaches the **European Commission**, the **Finnish government**, and at least two Dutch agencies, with staff contact details and device information exposed in some incidents. Patches are available, **CISA** has placed both flaws in the **KEV catalog** with federal deadlines on **February 1** and **April 11**, and compromise review remains warranted for exposed deployments.

Key facts

**Ivanti Endpoint Manager Mobile (EPMM)** has two critical code-injection flaws, **CVE-2026-1281** and **CVE-2026-1340**, that can allow unauthenticated remote code execution.
GreyNoise logged **417 exploitation sessions** from **8 unique source IPs** between **February 1 and 9, 2026**, with **193.24.123[.]42** generating **346 sessions** and accounting for **83%** of the attempts, and Shadowserver tracked a more voluminous Feb. 9 burst against European government targets.
The flaws carry **CVSS 9.8** scores and affect multiple EPMM release lines.
Ivanti released security updates on **January 29, 2026**, and **CISA** later added **CVE-2026-1281** to the **KEV catalog** with a **February 1** deadline for federal civilian executive branch agencies.
On **April 8**, CISA added **CVE-2026-1340** to KEV and ordered FCEB agencies to patch by **April 11** under **BOD 22-01**.
The same EPMM exposure is tied to confirmed public-sector compromise at the **European Commission** and related disclosures by **Valtori** and Dutch authorities, with staff names, mobile numbers, work email addresses, telephone numbers, and device details exposed in some incidents.

**Ivanti Endpoint Manager Mobile (EPMM)** remains under active zero-day exploitation after attackers began targeting **CVE-2026-1281** and **CVE-2026-1340**, two code-injection flaws that allow unauthenticated remote code execution. GreyNoise logged **417 exploitation sessions** from **8 unique source IPs** between **February 1 and 9, 2026**, with **193.24.123[.]42** generating **346 sessions** and accounting for **83%** of the attempts. Shadowserver also tracked a more voluminous Feb. 9 attack spike against European government targets, while GreyNoise said the activity used DNS callbacks to verify exploitability and rotated through 300+ user-agent strings. The flaws carry **CVSS 9.8** scores and affect multiple EPMM release lines. Ivanti released security updates on **January 29, 2026**, and **CISA** later added **CVE-2026-1281** to the **KEV catalog** with a **February 1** deadline for federal civilian executive branch agencies. On **April 8**, CISA added **CVE-2026-1340** to KEV and ordered FCEB agencies to patch by **April 11** under **BOD 22-01**. Administrators were told to review Apache access logs, inspect administrative and configuration changes, and watch for attempted or successful exploitation, and Ivanti said the RPM fix must be reapplied after any version upgrade before the permanent **EPMM 12.8.0.0** release later in Q1 2026. The **European Commission** disclosed a breach investigation after finding evidence that its mobile device management platform had been hacked, and later public disclosures by the Dutch justice and security secretary and Finnish government ICT centre **Valtori** confirmed related compromise across government mobile-management services. The Commission said the system was contained and cleaned within **nine hours**, while Valtori said as many as **50,000** government workers may have had their details exposed. Reported exposure included staff names, mobile numbers, work email addresses, telephone numbers, and device details, and the same EPMM exposure raises follow-on risk of spearphishing, impersonation, and deeper access attempts against government networks.

Update history

27.05.2026 17:58 · updated

Changed: case_title, case_identity_v1, case_summary, executive_brief_v1, case_detailed_summary_v1, case_key_facts_v1, case_narrative_links_v1, activity_story_v1, defender_view_v1, threat_and_technical_context_v1, scope_and_limits_v1, member_map_v1, case_member_admission_v1

Reason: Updated to reflect CISA's later KEV action for CVE-2026-1340, the Feb. 9 attack spike tracked by Shadowserver and GreyNoise, and the public-disclosure details from the European Commission, Valtori, and Dutch authorities.

Malware context

6 families · 1 tools

Tools

Ivanti Endpoint Manager Mobile (EPMM)

Signals

12 derived

Exploitation

Exploitation Active exploitation CVSS 9.8 Critical

Affected impact

Exposed data

CVEs/products

CVE CVE Product Ivanti Endpoint Manager Mobile (EPMM)

Victims/regions

Sector government Victim region Finland Victim region Netherlands

Remediation

KEV CISA KEV Remediation Patch available Permanent fix EPMM 12.8.0.0 planned

Member happenings

5 related

Vulnerability Ivanti Endpoint Manager Mobile (EPMM) actively exploited code injection flaws (multiple vulnerabilities)

Updated 30.01.2026 06:43 Lead Contribution 64

Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

**Ivanti Endpoint Manager Mobile (EPMM)** is affected by **two critical code-injection flaws** — **CVE-2026-1281** and **CVE-2026-1340** — that enable **unauthenticated remote code execution** and were **exploited in zero-day attacks**. **Ivanti** has released updates, and **CISA** added **CVE-2026-1281** to the **KEV catalog**, making the issue urgent for exposed deployments.

View happening

Campaign Ivanti EPMM mobile-data theft campaign targeting European governments

Updated 10.02.2026 11:45 Scoring Support Contribution 3

Campaign Active Objective Espionage

A **coordinated Ivanti EPMM campaign** is now linked to breaches at multiple **European government** bodies, raising concern that staff and mobile-user data were exposed across several institutions. The activity reached the **European Commission**, the **Finnish government**, and **at least two Dutch agencies** during **January 29-February 6, 2026**. The exposure matters because compromised mobile-management data can enable follow-on **spearphishing** and impersonation against government users.

View happening

Incident European Commission hit by cyberattack

Updated 09.02.2026 11:49 Scoring Support Contribution 2

Incident Contained Extortion None

The **European Commission** is investigating a **cyberattack** on its **mobile device management platform**, which may have exposed staff **names** and **mobile numbers**. The incident was **contained** and cleaned within **9 hours**, limiting the immediate operational impact. The breach matters because it may be connected to wider attacks on **European institutions** using **Ivanti Endpoint Manager Mobile (EPMM)** zero-day flaws.

View happening

Exploitation Wave Ivanti EPMM exploitation wave (CVE-2026-1281)

Updated 12.02.2026 09:32 Scoring Support Contribution 2

Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

**Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing management systems. GreyNoise observed **417 exploitation sessions** from **8 source IPs** between **February 1 and 9, 2026**. A single host, **193.24.123[.]42**, generated **346 sessions** and accounted for **83%** of the attempts. Ivanti said a **very limited number of customers** were impacted after **zero-day exploitation**, showing the abuse had already moved beyond disclosure into live targeting.

View happening

Security Patch Release Ivanti security patch release for CVE-2026-1281

Updated 30.01.2026 06:43 Context

Exploitation Active Exploitation Urgency High CVSS 9.8 Critical Patch Patch Available

**Ivanti** released **security updates** for **Ivanti Endpoint Manager Mobile (EPMM)** after disclosure of **two critical zero-day flaws** that can enable **unauthenticated remote code execution**. The patch set covers **CVE-2026-1281** and **CVE-2026-1340** on affected **EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, 12.7.0.0 and prior**, with a permanent fix planned for **12.8.0.0**. **CISA** also added **CVE-2026-1281** to the **KEV catalog**, making timely remediation especially urgent.

View happening