Security incidents involving enterprise network tools are drawing increasing scrutiny, with recent activity focusing on a pair of serious vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Administrators rely on Ivanti EPMM to manage devices and applications, making these incidents relevant to organizations concerned about securing remote access points. Cybersecurity teams are once again faced with a familiar pattern as attackers seek to leverage deficiencies in trusted network solutions, prompting calls for more aggressive vigilance.
Earlier news about Ivanti’s network device security showed recurring issues, with previous zero-days such as CVE-2025-4428 and multiple other EPMM vulnerabilities previously exploited by threat groups. Public advisories and catalog listings have gradually expanded, mirroring a steady cadence of vulnerabilities coming to light. Previous incidents spurred temporary fixes and prompted global monitoring, but complete long-term mitigation and thorough detection remain a persistent challenge for both Ivanti and its clients.
How Do The Latest Vulnerabilities Work?
The recently exposed flaws, CVE-2026-1281 and CVE-2026-1340, both rated 9.8 by CVSS, allow unauthenticated attackers to remotely execute code on affected Ivanti EPMM installations. According to Ivanti, the attack initially targeted a limited set of customers, but the range of exploitation has rapidly expanded following public disclosure. The Cybersecurity and Infrastructure Security Agency confirmed CVE-2026-1281 as a known exploited issue, reflecting the escalation and the pattern of swift mass exploitation after vulnerabilities become publicly known.
What Steps Have Ivanti and Security Experts Taken?
Ivanti quickly issued a temporary script for on-premises EPMM clients and promises a permanent solution in a forthcoming update. Despite the prompt response, researchers have urged organizations with internet-facing vulnerable instances to assume possible compromise and prioritize incident response. Monitoring organizations observed a notable increase in exploitation attempts, pointing out that more than 1,400 EPMM servers remain accessible online.
The software packages that address the defects “takes only seconds to apply, does not cause downtime and significantly increases adoption and protection rates for customers,”
Ivanti maintained. However, the company has not shared details about the total number of those affected.
Are Broader Security Practices Being Questioned?
Security specialists acknowledge that the intricate paths leading to these vulnerabilities complicate detection, with some highlighting the repeat nature of these incidents. According to analysts, the blurred distinction between trusted and untrusted code in EPMM extends the attack surface for opportunistic and targeted actors alike.
“Defensive engineering needs to assume attackers will find the non-obvious paths eventually, because they always do,”
one researcher said, emphasizing the need for proactive security measures rather than reactive fixes.
Several long-standing themes emerge from this episode: the attractiveness of network edge devices as targets, the recurring exploitation of Ivanti’s EPMM product, and the challenge of balancing rapid patch deployment with deeper code review. Security teams are advised to treat any online-exposed EPMM platform as compromised unless proven otherwise, and to review infrastructure for evidence of intrusion. While the company responded promptly this time, repeated incidents suggest that organizations need to bolster their own monitoring and be prepared to take quick action rather than solely relying on vendor patches.
Companies managing critical infrastructure should consider a layered defense approach and stay updated on vulnerability disclosures, especially for products like Ivanti EPMM known for a history of targeted attacks. Additionally, incident response readiness and rapid deployment of published mitigations may help reduce exposure between discovery and the release of permanent fixes. Organizations should align their risk management with recent advisories and take extra caution with internet-exposed management tools, as persistent targeting and advanced exploitation methods are likely to continue in this sector.
