Widespread exploitation of critical Ivanti Endpoint Manager Mobile bugs ongoing

Multiple threat actors were observed by watchTowr Labs to have harnessed a pair of critical Ivanti Endpoint Manager Mobile code injection vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, in global attacks even as Ivanti dismissed an exploit chain involving both flaws, according to CyberScoop.

Attempted exploitation of CVE-2026-1281 has surged on Saturday, when internet-exposed Ivanti EPMM instances continued to exceed 1,400, noted The Shadowserver Foundation. "It's important to remember that exposure does not equal exploitation. But any organization exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure, and instigate incident response processes," said watchTowr Labs Head of Proactive Threat Intelligence Ryan Dewhurst.

Such a development comes after China-linked hacking operations and other threat groups were reported to have leveraged the Ivanti EPMM zero-day, tracked as CVE-2025-4428, and other Ivanti bugs for network compromise.

"State-sponsored adversaries have generally made strong use of remotely exploitable vulnerabilities in Ivanti kit, which isn't surprising," said VulnCheck Vice President of Security Research Caitlin Condon.