Exploits

Ivanti EPMM Zero-Days Hit Dutch, EU, Finnish Gov Systems

Published  ·  4 min read

Ivanti disclosed and patched two high-severity (CVSS 9.8) code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) on January 29, 2026, after an uptick in incidents involving breaches across Europe drew attention to yet another set of critical zero-day vulnerabilities within EPMM, the formerly mobile device management solution called MobileIron Core. These vulnerabilities allow unauthenticated remote code execution. These were exploited in the wild before public disclosure, with CISA adding CVE-2026-1281 to its Known Exploited Vulnerabilities catalog the same day (giving federal agencies just three days to patch).

Some of the weaknesses are located in particular areas such as Android File Transfer Configuration and In-House Application Distribution, which allow attackers to use an attacker-created request to inject arbitrary commands into the system, usually by abusing the way that Bash is handled in the back-end processing of these products. WatchTowr Labs was able to quickly develop proof-of-concept exploits as well as provide technical information about these vulnerabilities due to how poorly Ivanti sanitized or validated input in how they handled remote commands.

Several high-profile organizations confirmed impacts:
In the Netherlands, the Dutch Data Protection Authority (AP) and Council for the Judiciary (Rvdr) reported intrusions after the NCSC was alerted by Ivanti on January 29. Attackers accessed work-related employee data: names, business email addresses, and phone numbers. No broader service disruptions occurred, and the agencies notified parliament.

The European Commission detected "traces" of an attack on its central mobile device management infrastructure on January 30. It may have exposed staff names and mobile numbers, but the incident was contained and cleaned within nine hours, no mobile device compromise detected. There is a continued focus by the Commission on continual monitoring and on resilience initiatives.

Valtori, the state ICT provider in Finland, reported a breach of its systems on January 30 that could impact nearly 50,000 employees in government (about two-thirds of the employees in Finland's central government). A zero-day vulnerability in the MDM service was exploited by attackers to access names, work email addresses, phone numbers and other device-related information. Valtori noted the system only "marked" deleted data as removed rather than erasing it permanently, meaning historical user/device records from all past users could be at risk.

Ivanti described exploitation as limited to "a very limited number" of customers at disclosure time, but global scans (e.g., by Shadowserver) suggest dozens of exposed instances worldwide. The vendor provided temporary RPM patches (which don't survive upgrades) and promised a full fix in version 12.8.0.0 (Q1 2026).

Experts like watchTowr's Benjamin Harris stress this isn't random opportunism, it's "highly skilled, well-resourced" actors running precision campaigns against deeply embedded enterprise systems. Mobile device management applications such as EPMM occupy a unique place on the hierarchy of a company. As such, they are primary targets for the first point of entry or for harvesting data.

Key takeaways for defenders:
1. If you are using any of the affected EPMM versions, urgently patch your systems, apply interim fixes and monitor logs for signs of exploitation (the vendor suggests running the following Apache access log queries).
2. Assume that any exposed instance has been compromised, meaning a forensic review will be required to validate all activities, credentials should be rotated, and a review of any devices enrolled to the instances should be made.
3. Harden exposure, restrict internet-facing EPMM to VPN or zero-trust access; enable strict authentication.
4. Speed matters, when it comes to abnormal detection and rapid containment, the difference between a small-scale incident becoming an extremely large scale crisis is based upon the speed of response (Harris).

This is similar to how Ivanti has seen a continuous history of various edge-device exploits (2023 with CVE-2023-35078 chains, 2025 with CVE-2025-4427/4428). The organizations using MDM tools need to consider MDM tools as high-risk perimeter assets and even now, with PoCs made available publicly and the potential of scanning increasing on MDM tools.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067