Palo Alto Networks’ Unit 42 says two critical flaws are being actively abused to gain unauthenticated access, deploy persistent backdoors, and compromise entire enterprise mobile fleets even after patches are applied.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, both carrying a CVSS score of 9.8. Attackers can gain unauthenticated remote code execution on exposed MDM servers, with over 4,400 instances publicly accessible. Threat actors are rapidly moving from automated scanning to deploying persistent backdoors, web shells, and cryptominers that survive patching cycles. Targeted sectors include government, healthcare, and manufacturing across the US, Germany, Australia, and Canada. Ivanti has released emergency RPM patches for EPMM 12.x, but warns the patch doesn't survive version upgrades and that connected Sentry systems may also be compromised. Organizations suspecting compromise are advised to restore from clean backups rather than attempting remediation. Proof-of-concept exploit code is already publicly available, and this follows a recurring pattern of Ivanti product exploitation dating back to 2023.

Attackers exploit Ivanti EPMM zero-days to seize control of MDM servers