Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ivanti EPMM exploitation wave (CVE-2026-1281)

Exploitation Wave
First reported
Last updated
Happening score
H score 63
2 unique sources, 2 articles

Summary

Hide ▲

Ivanti Endpoint Manager Mobile (EPMM) is facing an active exploitation wave against CVE-2026-1281 and CVE-2026-1340, creating immediate risk for internet-facing management systems. GreyNoise observed 417 exploitation sessions from 8 source IPs between February 1 and 9, 2026. A single host, 193.24.123[.]42, generated 346 sessions and accounted for 83% of the attempts. Ivanti said a very limited number of customers were impacted after zero-day exploitation, showing the abuse had already moved beyond disclosure into live targeting.

Cases

Ivanti Endpoint Manager Mobile zero-day exploitation, European government breaches, and concentrated attack wave (5)

Related Happenings

Burst Statistics authentication bypass (CVE-2026-8181)

Vulnerability
First: 15.05.2026 00:07 Last: 15.05.2026 00:07 Sources 1

About this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...

Open Happening

PraisonAI missing-authentication flaw actively probed (CVE-2026-44338)

Vulnerability
First: 14.05.2026 14:40 Last: 14.05.2026 14:40 Sources 1

About this happening: Within **hours of disclosure**, **PraisonAI CVE-2026-44338** was being **probed on internet-exposed instances**, creating **unauthenticated access** risk for the legacy Flask API...

Open Happening

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
First: 16.04.2026 01:35 Last: 16.04.2026 01:35 Sources 1

About this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...

Open Happening

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

About this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...

Open Happening

Timeline

  1. 12.02.2026 09:32 2 articles · 3mo ago

    Ivanti EPMM exploitation wave linked to 193.24.123[.]42

    Campaign Scope Update

    GreyNoise described a concentrated exploitation wave against Ivanti Endpoint Manager Mobile (EPMM), recording 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026, with 346 sessions from 193.24.123[.]42 accounting for 83% of attempts. The activity targeted CVE-2026-1281 and CVE-2026-1340 for unauthenticated remote code execution, used DNS callbacks to verify exploitability, and overlapped with exploitation of CVE-2026-21962, CVE-2026-24061, and CVE-2025-24799. Ivanti said a very limited number of customers were impacted after zero-day exploitation, and multiple European agencies including the Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Valtori said they were targeted.

    Show sources
    Open in new tab