We are seeing confirmed reports of active exploitation involving two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile as of February 4, 2026. Specifically, threat intelligence confirms that attackers are using these flaws to execute malicious code on mobile management servers without any user help or login details.

The Evidence

First, both vulnerabilities carry a CVSS score of 9.8, marking them as a critical threat to business network safety. According to the Ivanti Security Advisory, these code injection flaws affect the on-premises versions of the mobile device management platform. Initially, researchers at Rapid7 identified targeted attacks against government and enterprise networks using these gaps. Subsequently, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog, citing evidence of active scanning and exploitation. Specifically, the Shadowserver Foundation reports that over 1,400 vulnerable systems remain exposed to the internet globally. Furthermore, the exploit requires no prior access and allows a remote attacker to achieve full administrative control over the affected server.

Who Should Be Concerned

Most importantly, any organization running on-premises Ivanti Endpoint Manager Mobile (EPMM) should treat this as a top-tier emergency. Moreover, healthcare organizations face elevated risks as the Health Information Sharing and Analysis Center (H-ISAC) has issued alerts regarding potential exposure. In particular, IT security teams, mobile device administrators, and Chief Information Security Officers must coordinate an immediate response to prevent data theft. Therefore, boards of directors should be briefed on this risk as regulatory bodies now require faster reporting of material cyber incidents.

Historical Context

Notably, this marks the latest in a long series of critical flaws affecting Ivanti products, with CISA tracking 31 separate defects in their catalog since 2021. Similarly, this threat follows the pattern of the May 2025 EPMM vulnerabilities where attackers focused on edge devices to bypass traditional security. In fact, security researchers have seen a massive shift where nation-state groups target management tools to gain a permanent foothold in target networks. As a result, software that manages mobile fleets has become a primary target for advanced persistent threat groups looking for initial access.

Detailed Impact Analysis

Currently, attackers are using these vulnerabilities to deploy web shells and reverse shells to maintain access after the initial breach. Once exploited, the attacker can view sensitive information about every managed mobile device and even change network configurations. Meanwhile, forensic data shows that criminals are hiding malicious files in system error pages to avoid being caught by standard antivirus tools. Consequently, a successful attack puts intellectual property and employee personal data at immediate risk. Based on reports from GreyNoise, mass exploitation attempts are rising as more hacking groups automate the attack process.

Immediate Actions Required

Immediately, you must apply the temporary RPM script patch provided by the vendor to all on-premises EPMM installations. Specifically, this fix must be deployed within 24 hours to prevent exploitation, though federal agencies were required to finish this by February 1, 2026. Next, you should verify the patch by checking your system version and reviewing Apache HTTPD access logs for suspicious POST requests to 401.jsp pages. However, if you find signs of a breach, you should build a new appliance from a clean backup rather than just patching the old one. Additionally, we recommend reviewing all administrator accounts for any new or unauthorized users created in the last week. After patching, rotate all passwords for connected services like LDAP and Single Sign-On to ensure the attacker is fully locked out.

Additional Resources

For complete technical details and patch instructions, please review the Ivanti Security Advisory. Additionally, organizations can find official mitigation guidance on the CISA Known Exploited Vulnerabilities Catalog.

Get Expert Help

If your organization needs immediate expert guidance on checking for a breach or deploying these critical patches, DefendMyBusiness offers customized security solutions. Our team specializes in rapid incident response and vulnerability assessment to protect your digital assets from advanced threats. Schedule a free security consultation now to get expert analysis within 24 hours.