Endpoint/Device Security, Vulnerability Management, Patch/Configuration Management

Emergency patches advised after attacks on Ivanti EPMM devices

The Future of Digital Security A Comprehensive Look at Shield Concepts and Cyber Threat Mitigation Strategies for Protection and Safeguarding Data

(Adobe Stock)

Reports that two previously patched Ivanti remote code execution (RCE) bugs were exploited at the Dutch Data Protection Authority and Judicial Council and at the European Union (EU) raised concerns worldwide that these attacks will spread.

The two 9.8 RCEs are in Ivanti Endpoint Manager Mobile (EPMM). One of the RCEs, CVE-2026-1281 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog Jan. 28. The other 9.8 bug was CVE-2026-1340.

Security teams were told to consider this case an emergency patch situation.

“Organizations need to act urgently,” said Denis Calderone, co-founder and CTO at Suzu Labs. “If you're running Ivanti EPMM, this isn't a standard patch cycle situation. Both vulnerabilities are unauthenticated RCEs rated CVSS 9.8, and they target mobile device management (MDM) infrastructure. Compromise means attackers can push malicious configurations or apps to your entire corporate mobile fleet.”

Related reading:

Calderone said organizations should run emergency patches if they haven't already, then audit MDM logs for suspicious policy changes, unauthorized app deployments, or configuration modifications going back several weeks.

“These were zero-days before disclosure, so assume attackers had access during that window,” said Calderone. “Check mobile devices for unexpected profiles or certificates. Treat this as incident response — not routine patching — because the impact of EPMM compromise extends to every managed device in your organization.”

John Carberry, solution sleuth at Xcape, Inc., added that the these recent Ivanti compromises serve as a stark reminder that the network edge remains a critical target in global diplomacy. Carberry said this compromised data represents precisely what's needed to launch sophisticated, targeted vishing and spear-phishing attacks against high-ranking officials.

“This isn't an isolated incident,” said Carberry. “With over 1,400 vulnerable systems still exposed globally, we're seeing the beginning of a global collection phase. State-sponsored adversaries are actively seeking to establish persistence before fragmented RPM patches can be implemented. Organizations must prioritize immediate patching where feasible, actively search for indicators of compromise, and assume that unpatched devices may already be compromised.”

Carberry added if teams cannot patch swiftly, isolating or temporarily disabling affected systems might be the more prudent course of action. Security teams should classify these Ivanti devices as Tier-0 assets, routing them through a robust zero-trust gateway instead of leaving them exposed to the public internet, where attackers can identify and compromise them within seconds.

“Patch Ivanti yesterday, as tomorrow's headline is going to be about the one who waits,” said Carberry.

Andi Ursry, threat intelligence analyst at Blackpoint Cyber, added that his team sees these types of exploitations spread quickly. Once attackers confirm the method works, Ursry said it’s often copied and reused across several groups within days.

“Organizations outside government industry and in other regions are likely targets, especially those that have not patched yet,” said Ursry. “Generally, we recommend ensuring that you have a robust patch management program and are able to quickly mitigate access and apply workarounds until a patch can be applied.”

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Antivirus SoftwareBring Your Own Device (BYOD)Buffer OverflowBugDisassemblyEndpoint SecurityEphemeral PortExtranetFirmwareKeylogger

You can skip this ad in 5 seconds