Ivanti EPMM exploitation wave (CVE-2026-1281)
Exploitation Wave
Summary
Hide ▲
Show ▼
Ivanti Endpoint Manager Mobile (EPMM) is facing an active exploitation wave against CVE-2026-1281 and CVE-2026-1340, creating immediate risk for internet-facing management systems. GreyNoise observed 417 exploitation sessions from 8 source IPs between February 1 and 9, 2026. A single host, 193.24.123[.]42, generated 346 sessions and accounted for 83% of the attempts. Ivanti said a very limited number of customers were impacted after zero-day exploitation, showing the abuse had already moved beyond disclosure into live targeting.
Cases
Related Happenings
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation Wave
H score87
First: 05.06.2026 11:38
Last: 05.06.2026 11:38
Sources 1
About this happening:
Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Burst Statistics authentication bypass (CVE-2026-8181)
Vulnerability
H score78
First: 15.05.2026 00:07
Last: 15.05.2026 00:07
Sources 1
About this happening:
**Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
Burst Statistics authentication bypass (CVE-2026-8181)
VulnerabilityAbout this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
PraisonAI missing-authentication flaw actively probed (CVE-2026-44338)
Vulnerability
H score27
First: 14.05.2026 14:40
Last: 14.05.2026 14:40
Sources 1
About this happening:
Within **hours of disclosure**, **PraisonAI CVE-2026-44338** was being **probed on internet-exposed instances**, creating **unauthenticated access** risk for the legacy Flask API...
PraisonAI missing-authentication flaw actively probed (CVE-2026-44338)
VulnerabilityAbout this happening: Within **hours of disclosure**, **PraisonAI CVE-2026-44338** was being **probed on internet-exposed instances**, creating **unauthenticated access** risk for the legacy Flask API...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation Wave
H score9
First: 16.04.2026 01:35
Last: 16.04.2026 01:35
Sources 1
About this happening:
**CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation WaveAbout this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
H score51
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveAbout this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Timeline
-
12.02.2026 09:32 2 articles · 4mo ago
Ivanti EPMM exploitation wave linked to 193.24.123[.]42
Campaign Scope UpdateGreyNoise described a concentrated exploitation wave against Ivanti Endpoint Manager Mobile (EPMM), recording 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026, with 346 sessions from 193.24.123[.]42 accounting for 83% of attempts. The activity targeted CVE-2026-1281 and CVE-2026-1340 for unauthenticated remote code execution, used DNS callbacks to verify exploitability, and overlapped with exploitation of CVE-2026-21962, CVE-2026-24061, and CVE-2025-24799. Ivanti said a very limited number of customers were impacted after zero-day exploitation, and multiple European agencies including the Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Valtori said they were targeted.
Show sources
- 83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure — thehackernews.com — 12.02.2026 09:32
- Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again — www.darkreading.com — 13.02.2026 00:05