Threat Research

Two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, are impacting Ivanti Endpoint Manager Mobile (EPMM). They are actively exploited in the wild, targeting enterprise mobile fleets and corporate networks. The flaws allow unauthenticated remote code execution on affected servers....

Cyber threat actors exploited Ivanti EPMM systems by chaining two vulnerabilities—CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (code injection)—to gain initial access. Around May 15, 2025, they targeted the /mifs/rs/api/v2/ endpoint using crafted HTTP GET requests and the ?format= parameter to execute remote commands....

A China-nexus threat actor is actively exploiting a critical vulnerability (CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. The flaw, when chained with CVE-2025-4427, enables unauthenticated remote code execution on vulnerable systems. Exploitation has been observed since May 15, 2025, targeting internet-facing Ivanti EPMM instances....

According to reliable third-party incident response data, threat actors exploited the listed vulnerabilities to achieve initial access, execute remote code (RCE), acquire credentials, and deploy webshells on victim networks....

On September 10, 2024, Ivanti announced the CVE-2024-8190 security advisory, revealing an authenticated command injection vulnerability in DateTimeTab.php, affecting CSA 4.6 and earlier versions. By September 13, the vulnerability was added to CISA’s Known Exploited Vulnerabilities list, and Ivanti updated their advisory, noting observed exploitation post-disclosure....