Massive Spike in Attacks Exploiting Ivanti EPMM Systems 0-day

Exploitation attempts targeting CVE-2026-1281, a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM), have surged to unprecedented levels.

On February 9, 2026, Shadowserver scans revealed over 28,300 unique source IP addresses attempting to exploit the flaw, marking one of the largest coordinated attack campaigns observed against enterprise mobile management infrastructure this year.

CVE-2026-1281 is a pre-authentication code injection vulnerability with a CVSS score of 9.8 that allows attackers to achieve unauthenticated remote code execution on vulnerable EPMM instances.

The vulnerability stems from improper input sanitization in a Bash handler at the /mifs/c/appstore/fob/ endpoint, enabling attackers to inject malicious payloads via URL parameters and execute arbitrary commands as the web server user.

Analysis of the attacking infrastructure reveals a heavily concentrated geographic distribution, with the United States accounting for approximately 20,400 IP addresses representing 72% of all observed attack sources.

The United Kingdom ranks second with 3,800 source IPs, while Russia follows with 1,900 addresses. Additional significant attack activity originated from networks in Iraq, Spain, Poland, France, Italy, Germany, and Ukraine, though at substantially lower volumes.

Coordinated Cyber Attack Campaign

Security researchers from GreyNoise and Defused have identified a sophisticated component to this exploitation wave: a suspected initial access broker has been deploying “sleeper” webshells on compromised EPMM instances.

Over 80% of exploitation activity has been traced to a single IP address operating behind bulletproof hosting infrastructure, suggesting a highly coordinated operation designed to establish persistent access for follow-on exploitation by other threat actors.

This delayed-activation approach differs significantly from typical opportunistic attacks, as the backdoors remain dormant until activated for specific operations.

Given that EPMM manages mobile devices, applications, and content across enterprise environments, successful exploitation provides attackers with extensive control over corporate mobile infrastructure, including the ability to deploy additional payloads to managed devices and facilitate lateral movement within targeted networks.

Ivanti first disclosed CVE-2026-1281 alongside CVE-2026-1340 on January 29, 2026, acknowledging limited in-the-wild exploitation against customer environments.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) immediately added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog with an unprecedented three-day remediation deadline, underscoring the severity of the threat.

The Shadowserver Foundation is actively sharing attacker IP data through their honeypot HTTP scanner events reporting system, with vulnerability_id filtered to CVE-2026-1281.

Organizations can access this threat intelligence at shadowserver.org to identify and block malicious source addresses attempting exploitation against their infrastructure. Ivanti has released temporary RPM patches for affected versions, with a permanent fix scheduled for version 12.8.0.0 in Q1 2026.

Security teams managing EPMM deployments should immediately apply available patches, monitor for indicators of compromise, including unexpected webshell artifacts, and review access logs for suspicious requests to the vulnerable endpoint.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.