Critical Vulnerabilities in Ivanti EPMM Exploited

    Thursday, February 19, 2026 In: Threat Research Print

    Date: 02/19/2026

    Severity: High

    Summary

    Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers. Attackers can take full control of mobile device management (MDM) systems without credentials or user interaction. Exploitation has included reverse shells, web shell deployment, reconnaissance, and malware downloads. Organizations in the United States, Germany, Australia, and Canada-across government, healthcare, manufacturing, legal, and high-tech sectors-have been affected.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    gobygo.net

    introo.sh

    ngrok-free.app

    interacth3.io

    ddns.1433.eu.org

    oast.live

    oast.me

    oast.site

    eyes.sh

    requestrepo.com

    ceye.io

    interact..gateway.horizon3ai.com

    http://152.32.173.138/U26d86f1899513347.5b5b0c1b

    http://64.7.199.177:18899/93.187.56.19

    http://93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun

    zeetcckhtudizieudqyck5o4ez16y973h.oast.fun/93.187.56.19

    http://152.32.173.138/U5213b63dda61af48.0F3Ab3D3

    http://hxa-93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun/`whoami

    hxps://e598292a5fbd.ngrok-free.app/204.251.198.205/443

    /mi/tomcat/webapps/mifs/401.jsp

    /mi/tomcat/webapps/mifs/403.jsp

    /mi/tomcat/webapps/mifs/1.jsp

    agent.sh

    /mi/tomcat/webapps/mifs/css/test.css

    /mi/tomcat/webapps/mifs/css/poc.css

    /mi/tomcat/webapps/mifs/css/cssaaa.css

    /mi/tomcat/webapps/mifs/css/login.css

    IP Address : 

    23.227.199.80

    64.7.199.177

    83.138.53.139

    84.72.235.18

    86.106.143.200

    91.193.19.12

    107.173.231.201

    130.94.41.206

    138.226.247.241

    144.172.106.4

    146.70.41.193

    152.32.173.138

    158.247.199.185

    185.173.235.232

    192.242.184.234

    193.242.184.234

    194.78.67.253

    198.13.158.58

    204.251.198.205

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "oast.me" or url like "oast.me" or siteurl like "oast.me" or domainname like "http://hxa-93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun/`whoami" or url like "http://hxa-93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun/`whoami" or siteurl like "http://hxa-93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun/`whoami" or domainname like "interacth3.io" or url like "interacth3.io" or siteurl like "interacth3.io" or domainname like "ngrok-free.app" or url like "ngrok-free.app" or siteurl like "ngrok-free.app" or domainname like "ceye.io" or url like "ceye.io" or siteurl like "ceye.io" or domainname like "http://152.32.173.138/U26d86f1899513347.5b5b0c1b" or url like "http://152.32.173.138/U26d86f1899513347.5b5b0c1b" or siteurl like "http://152.32.173.138/U26d86f1899513347.5b5b0c1b" or domainname like "http://64.7.199.177:18899/93.187.56.19" or url like "http://64.7.199.177:18899/93.187.56.19" or siteurl like "http://64.7.199.177:18899/93.187.56.19" or domainname like "requestrepo.com" or url like "requestrepo.com" or siteurl like "requestrepo.com" or domainname like "eyes.sh" or url like "eyes.sh" or siteurl like "eyes.sh" or domainname like "oast.live" or url like "oast.live" or siteurl like "oast.live" or domainname like "interact..gateway.horizon3ai.com" or url like "interact..gateway.horizon3ai.com" or siteurl like "interact..gateway.horizon3ai.com" or domainname like "ddns.1433.eu.org" or url like "ddns.1433.eu.org" or siteurl like "ddns.1433.eu.org" or domainname like "http://152.32.173.138/U5213b63dda61af48.0F3Ab3D3" or url like "http://152.32.173.138/U5213b63dda61af48.0F3Ab3D3" or siteurl like "http://152.32.173.138/U5213b63dda61af48.0F3Ab3D3" or domainname like "oast.site" or url like "oast.site" or siteurl like "oast.site" or domainname like "http://93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun" or url like "http://93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun" or siteurl like "http://93-187-56-19.nistpyzlfeyzcyrsimcx814h1j59iqxo1.oast.fun" or domainname like "introo.sh" or url like "introo.sh" or siteurl like "introo.sh" or domainname like "gobygo.net" or url like "gobygo.net" or siteurl like "gobygo.net" or domainname like "https://e598292a5fbd.ngrok-free.app/204.251.198.205/443" or url like "https://e598292a5fbd.ngrok-free.app/204.251.198.205/443" or siteurl like "https://e598292a5fbd.ngrok-free.app/204.251.198.205/443" or domainname like "/mi/tomcat/webapps/mifs/401.jsp"or url like "/mi/tomcat/webapps/mifs/401.jsp" or siteurl like "/mi/tomcat/webapps/mifs/401.jsp" or domainname like "/mi/tomcat/webapps/mifs/403.jsp" or url like "/mi/tomcat/webapps/mifs/403.jsp" or siteurl like "/mi/tomcat/webapps/mifs/403.jsp" or domainname like "/mi/tomcat/webapps/mifs/1.jsp" or url like "/mi/tomcat/webapps/mifs/1.jsp" or siteurl like "/mi/tomcat/webapps/mifs/1.jsp" or domainname like "agent.sh" or url like "agent.sh" or siteurl like "agent.sh" or domainname like "/mi/tomcat/webapps/mifs/css/test.css" or url like "/mi/tomcat/webapps/mifs/css/test.css" or siteurl like "/mi/tomcat/webapps/mifs/css/test.css" or domainname like "/mi/tomcat/webapps/mifs/css/poc.css" or url like "/mi/tomcat/webapps/mifs/css/poc.css" or siteurl like "/mi/tomcat/webapps/mifs/css/poc.css" or domainname like "/mi/tomcat/webapps/mifs/css/cssaaa.css" or url like "/mi/tomcat/webapps/mifs/css/cssaaa.css" or siteurl like "/mi/tomcat/webapps/mifs/css/cssaaa.css" or domainname like "/mi/tomcat/webapps/mifs/css/login.css" or url like "/mi/tomcat/webapps/mifs/css/login.css" or siteurl like "/mi/tomcat/webapps/mifs/css/login.css" or domainname like "zeetcckhtudizieudqyck5o4ez16y973h.oast.fun/93.187.56.19" or url like "zeetcckhtudizieudqyck5o4ez16y973h.oast.fun/93.187.56.19" or siteurl like "zeetcckhtudizieudqyck5o4ez16y973h.oast.fun/93.187.56.19" 

    Detection Query 2 :

    dstipaddress IN ("152.32.173.138","193.242.184.234","158.247.199.185","83.138.53.139","23.227.199.80","204.251.198.205","185.173.235.232","64.7.199.177","84.72.235.18","86.106.143.200","107.173.231.201","91.193.19.12","130.94.41.206","138.226.247.241","144.172.106.4","146.70.41.193","192.242.184.234","194.78.67.253","198.13.158.58") or srcipaddress IN ("152.32.173.138","193.242.184.234","158.247.199.185","83.138.53.139","23.227.199.80","204.251.198.205","185.173.235.232","64.7.199.177","84.72.235.18","86.106.143.200","107.173.231.201","91.193.19.12","130.94.41.206","138.226.247.241","144.172.106.4","146.70.41.193","192.242.184.234","194.78.67.253","198.13.158.58")

    Reference:

    https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/


    Tags

    VulnerabilityIvantiCVE-2026EPMMUnited StatesGermanyAustraliaCanadaGovernment Services and FacilitiesHealthcare and Public HealthCritical ManufacturingInformation TechnologyExploitZero-day

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.