A widespread surge in the exploitation of two Ivanti Endpoint Mobile Manager (EPMM) remote code execution (RCE) bugs has been observed and reported by Unit 42 researchers at Palo Alto Networks.This news came a little more than a week after SC Media reported that the Ivanti EPMM bugs were exploited at the Dutch Data Protection Authority and Judicial Council and at the European Union (EU). Fears among security researchers that these attacks would spread globally have now come to pass.In a Feb. 17 blog post, the Unit 42 researchers said the attackers exploited the vulnerabilities in the following ways: establish reverse shells, install web shells, conduct reconnaissance and download malware.The yet unspecified attackers have targeted a broad cross-section of vertical industries in the U.S., Germany, Australia and Canada, including state and local government, healthcare, manufacturing, professional and legal services, and high technology.According to the Unit 42 researchers, threat actors have accelerated their operations, moving from initial reconnaissance to deploying dormant backdoors designed to maintain long-term access even after organizations apply patches.In terms of scope, Palo Alto Networks said it identified more than 4,400 EPMM instances in its telemetry. One of the 9.8 RCEs, CVE-2026-1281, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog Jan. 28. The other bug was CVE-2026-1340.
Why all the lag time?
Security experts pointed out that while it’s not surprising there was a surge in exploitation, the larger concern is the delay between disclosure and full remediation.Michael Bell, CEO at Suzu Labs, said Germany’s BSI found evidence that the latest Ivanti EPMM flaws were being exploited as zero-days since July 2025, giving attackers six months of access before disclosure. And now, Unit 42 has observed dormant backdoors specifically designed to survive patching.“The patch takes seconds and requires no downtime, so apply it immediately, but then check your logs back to July 2025 because patching doesn't evict someone who's already inside,” said Bell. “Organizations running any edge appliance should architect around the assumption that these products will have critical vulnerabilities again, regardless of vendor, and segment accordingly.”Randolph Barr, CISO at Cequence Security, said what’s really important here is the shift from initial exploitation to persistence. Barr said we’re seeing bad actors deploy web shells, reverse shells and even legitimate open-source tools like the Nezha monitoring agent as backdoors.“Nezha isn’t malware by design, but when installed post-compromise it provides low-visibility, long-term remote control that can survive superficial patching,” said Barr. “That indicates this campaign is evolving from opportunistic scanning to sustained foothold establishment."Damon Small, a board member at Xcape, Inc., said what’s really alarming in this case is that skilled adversaries can evade detection for long periods of time, gathering information and planning for future attacks. By exploiting critical vulnerabilities in EPMM, threat actors have progressed beyond mere disruption to achieving persistent, unauthenticated root access across various industries.“Security professionals see this as a fundamental change, where ‘edge fatigue’ is being exploited,” said Small. “Attackers understand that these internet-facing devices are often the least monitored but hold the most network privileges.”For organizations using Ivanti products, start by patching immediately. Here’s a checklist to follow from Small following patching:- Conduct thorough compromise assessments.
- Reset credentials.
- Examine logs for unusual activity.
- Consider rebuilding affected devices from scratch.
- Perform network segmentation and apply more robust access controls to mitigate the impact of future vulnerabilities.
