Skip to main content
Informa TechTarget |
Explore our brands An Informa TechTarget Publication
close search
site logo

Ivanti EPMM exploitation widespread as governments, others targeted

Researchers warn the activity shows evidence of initial access brokers preparing for future attacks.

Published Feb. 10, 2026
David Jones's headshot
Reporter
A close-up digital illustration portrays cybersecurity with a futuristic theme
Getty Images

European authorities are investigating multiple cyberattacks linked to critical flaws in Ivanti Endpoint Manager Mobile as threat groups step up exploitation activity.

Ivanti  released advisories on Jan. 29 for code injection vulnerabilities in the on-premises version of EPMM, tracked as CVE-2026-1281 and CVE-2026-1340. Successful exploitation enables an attacker to achieve remote code execution.

The European Commission said it was investigating an attack on its central mobile infrastructure. The Jan. 30 attack may have enabled hackers to gain access to names and mobile numbers of some staff members, according to a blog post released Thursday.

Officials said the incident was contained within nine hours and no mobile devices were compromised.  

Meanwhile, Dutch authorities confirmed that the Dutch Data Protection Authority and the Judicial Council were impacted by attacks exploiting the vulnerabilities in Ivanti EPMM, according to a letter sent to Parliament

Security researchers said threat activity targeting the vulnerabilities is accelerating, but in targeted ways. 

“We’ve detected over 600 individual IPs exploiting the vulnerability, with lots of variation from fingerprinting the system to establishing reverse shells to webshells, practically every post-exploit method has been seen,” Simo Kohonen, founder and CEO of Defused told Cybersecurity Dive. 

Research from threat intelligence firm Defused shows that hackers are dropping Java-class loaders into compromised systems, signaling the work of an initial access broker. 

Shadowserver has detected 92 compromised instances and expects that number to increase because of what it calls a massive campaign targeting CVE-2026-1281, CEO Piotr Kijewski told Cybersecurity Dive. 

Censys data shows more than 3,700 login interfaces exposed on the public internet, however not all of those are considered vulnerable. Most are located in Germany and the U.S.

Researchers from Rapid7 said there has been an acceleration of threat activity, however there has been a slow decline in recent days, from a peak of 525 exploitation attempts on Feb. 5 to about 200 observed attempts over the past 24 hours. 

There is no direct attribution associated with the source IPs, though the activity is consistent with known malicious infrastructure that routinely scans the internet for vulnerable hosts and conducts large-scale, brute-force attempts,” Christiaan Beek, senior director of threat intelligence at Rapid7 told Cybersecurity Dive. 

Beek also confirmed potential initial access broker activity, as n-day vulnerabilities have been used to gain footholds, possibly as a precursor to sell to ransomware groups. 

Ivanti is “collaborating closely with our customers, as well as trusted government and security partners” to address the threat, a spokesperson told Cybersecurity Dive. 

Ivanti has released indicators of compromise and an RPM detection script through its work with the Netherlands NCSC. The company said it is “committed to transparency” and helping to protect its own customers and the broader ecosystem. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
100 Telcos, 1.6 Billion Users, 700 % Growth – Whalebone to Become the Fastest-Growing Cybersec…
From Whalebone
February 09, 2026
Whalebone logo
DNS4EU Brings Sovereign, Protective DNS to Google Chrome Users Across Europe
From Whalebone
January 28, 2026
Whalebone logo
AU10TIX Collaborates with Microsoft to Reduce Fake Account Openings by 90% Using OneVet and Ve…
From AU10TIX
January 29, 2026
AU10TIX logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell