A critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-1281, has been actively exploited in the wild since at least summer 2025. German government agencies possess technical information confirming this long-term exploitation, prompting an urgent ‘code orange’ alert. This flaw allows unauthenticated attackers to execute arbitrary code, potentially leading to widespread compromise of mobile device management infrastructures and access to sensitive data.
Vulnerability Details and Impact
The Ivanti EPMM platform, formerly MobileIron Core, is widely used by organizations to manage employee mobile devices. The identified vulnerabilities, specifically CVE-2026-1281 and CVE-2026-1340, grant remote, unauthenticated attackers the ability to execute arbitrary code on vulnerable systems. Successful exploitation provides access to the MobileIron File Service (MIFS) database, which is a central repository for critical information. A zero-day vulnerability of this nature, combined with the potential for Remote Code Execution (RCE), can include sensitive personal data, IMEI numbers, and user account credentials, including encrypted and hashed passwords, depending on the specific configuration of the Ivanti EPMM environment. The far-reaching implications of such a compromise underscore the severity of these vulnerabilities.
Exploitation and Detection Timeline
- Mid-August 2025: Indications of initial exploitation attempts, similar to those observed in January 2026, were later discovered through forensic analysis in February 2026. The German BSI confirmed these early exploitation indications.
- January 28, 2026: Initial attempts to exploit the vulnerabilities were observed.
- January 29, 2026: Successful compromise of multiple organizations was confirmed, with evidence of data exfiltration. Ivanti released security patches for CVE-2026-1281 and CVE-2026-1340, and the NCSC issued a security advisory.
- February 2, 2026: First public news report regarding patching the vulnerabilities.
- February 4, 2026: NCSC updated its guidance to include an ‘assume-breach’ scenario for affected organizations.
- February 6, 2026: Ivanti and NCSC collaborated to release an initial version of an Exploitation Detection RPM Package.
- February 10, 2026: Further research confirmed the August 2025 exploitation.
- February 12, 2026: An updated version of the Exploitation Detection RPM Package was released by Ivanti and NCSC, featuring enhanced IoCs and improved webshell detection.
Guidance for Organizations
Organizations utilizing Ivanti EPMM systems are strongly advised to take immediate action due to the ‘code orange’ alert issued by German authorities. This includes:
- Immediate Patching: Ensure all Ivanti EPMM systems are updated with the latest security patches released on January 29, 2026.
- Forensic Investigation: Conduct thorough investigations of Ivanti EPMM servers for any signs of compromise, specifically extending the review back to July 2025 based on BSI recommendations.
- Utilize Detection Scripts: Deploy the latest Exploitation Detection RPM Package developed in collaboration by Ivanti and NCSC. This tool includes updated Indicators of Compromise (IoCs) and improved webshell detection capabilities. The most recent version, released on February 12, 2026, is crucial for effective detection and is available on the Ivanti Security Advisory page.
- Contact for Support: If IoCs are found, organizations should contact their respective national cybersecurity centers, such as `[email protected]` for further assistance and guidance.
- Assume Breach Stance: Adopt an ‘assume-breach’ mentality, implementing enhanced monitoring and incident response procedures to identify and contain any potential ongoing intrusions.
The Shadowserver Foundation has reported a significant increase in exploitation attempts, highlighting the urgency of these measures.
