Executive Summary
Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340, both rated CVSS 9.8 — have been actively exploited to breach multiple European government agencies. Confirmed victims include the Dutch Data Protection Authority, the Dutch Council for the Judiciary, the European Commission, and Finland's Valtori (state ICT provider serving up to 50,000 government employees).
Researchers have also discovered "sleeper" webshells planted by attackers for long-term persistent access.
Vulnerability Details
CVE-2026-1281 — Code Injection via In-House App Distribution
| Field | Details |
|---|---|
| CVE | CVE-2026-1281 |
| CVSS | 9.8 (Critical) |
| Type | Code injection via Bash arithmetic expansion |
| Component | EPMM In-House App Distribution |
| Authentication | None required |
| Impact | Unauthenticated remote code execution |
The vulnerability exploits Bash arithmetic expansion in EPMM's file delivery mechanism, allowing an unauthenticated attacker to inject and execute arbitrary commands on the server.
CVE-2026-1340 — Code Injection via Android File Transfer
| Field | Details |
|---|---|
| CVE | CVE-2026-1340 |
| CVSS | 9.8 (Critical) |
| Type | Code injection |
| Component | EPMM Android File Transfer |
| Authentication | None required |
| Impact | Unauthenticated remote code execution |
Confirmed Victims
| Organization | Country | Impact |
|---|---|---|
| Dutch Data Protection Authority (AP) | Netherlands | Systems compromised, investigation ongoing |
| Dutch Council for the Judiciary | Netherlands | Court system infrastructure breached |
| European Commission | EU | Institutional systems accessed |
| Valtori (State ICT Provider) | Finland | Up to 50,000 government employees' work details potentially exposed |
Attack Timeline
Jan 29, 2026 — First confirmed exploitation activity
Jan 31, 2026 — Ivanti notified of active exploitation
Feb 1, 2026 — CISA deadline for federal agencies to apply mitigations
Feb 3, 2026 — Temporary RPM patches released
Feb 7, 2026 — Dutch authorities confirm breaches
Feb 11, 2026 — Researchers discover "sleeper" webshells
Feb 14, 2026 — Finnish government confirms Valtori breachExploitation Activity
Scale
GreyNoise tracked exploitation activity from:
- 8 distinct IP addresses across 417 exploitation sessions
- 83% of all exploitation attempts traced to a single bulletproof hosting IP
- Activity began January 29 — before patches were available
Sleeper Webshells
Security researchers from Help Net Security discovered that attackers planted webshells designed for long-term persistent access:
- Webshells disguised as legitimate EPMM system files
- Dormant until activated by specific request parameters
- Survived temporary RPM patches in some cases
- Designed to re-establish access even after patching
This means organizations that patched but did not conduct thorough forensic investigations may still be compromised.
Affected Systems
| Version | Status |
|---|---|
| On-premises EPMM < 12.8.0.0 | Vulnerable |
| Cloud Neurons for MDM | Not affected |
| EPMM 12.8.0.0+ | Fixed |
Important: Only on-premises EPMM installations are affected. Ivanti's cloud-hosted Neurons for MDM is not vulnerable.
Remediation
Immediate Steps
- Apply RPM patches from Ivanti immediately (temporary fix)
- Upgrade to EPMM 12.8.0.0 when available (full fix, Q1 2026)
- Conduct forensic investigation — Patching alone is insufficient due to sleeper webshells
Post-Patch Investigation
- Search for webshells — Check for unexpected files in EPMM web directories
- Review authentication logs — Look for unauthenticated access to In-House App and Android File Transfer endpoints
- Check for persistence — Inspect cron jobs, scheduled tasks, and startup scripts
- Monitor outbound connections — Look for C2 traffic from the EPMM server
- Rotate credentials — Change all credentials accessible from the EPMM server
Network Mitigations
- Restrict EPMM management interface access to trusted networks only
- Implement WAF rules to block exploitation attempts
- Monitor for the 8 known exploitation IP addresses
Context: Ivanti's Ongoing Security Challenges
Ivanti products have been a frequent target of state-sponsored actors:
| Date | Product | CVE(s) | Impact |
|---|---|---|---|
| Jan 2024 | Connect Secure | CVE-2024-21887 | CISA emergency directive, global exploitation |
| Oct 2024 | Cloud Service Appliance | CVE-2024-8963 | Active exploitation |
| Jan 2026 | Connect Secure | Multiple | CISA emergency directive |
| Feb 2026 | EPMM | CVE-2026-1281/1340 | EU government breaches |
Organizations using Ivanti products should maintain heightened vigilance and rapid patching capabilities.
References
- The Hacker News — Dutch Authorities Confirm Ivanti Zero-Day Exploit
- The Record — EU, Dutch Government Announce Hacks Following Ivanti Zero-Days
- GreyNoise — Active Ivanti Exploitation
- Help Net Security — Ivanti EPMM Sleeper Webshells
- Tenable — CVE-2026-1281 CVE-2026-1340 Ivanti EPMM Zero-Day
- Rapid7 — Critical Ivanti EPMM Zero-Day Exploited in the Wild