Ivanti EPMM exploitation: Researchers warn of “sleeper” webshells

A massive wave of exploitation attempts has followed the disclosure of CVE-2026-1281, a critical pre-authentication Ivanti EPMM vulnerability, the Shadowserver Foundation has warned.

Some of it is automated scanning for vulnerable systems, but according to Greynoise and Defused, a suspected initial access broker has been prepping unpatched instances with a “sleeper” webshell for follow-on exploitation by other threat actors.

“On February 9, Defused Cyber reported a campaign deploying dormant in-memory Java class loaders to compromised EPMM instances at the path /mifs/403.jsp. The implants require a specific trigger parameter to activate, and no follow-on exploitation was observed at the time of their report,” Greynoise noted.

From their own vantage point – Greynoise sensors placed in data center networks and public IP space that passively observe unsolicited internet traffic around the world – the company spotted exploitation sessons that involved payloads that “phone home via DNS to confirm “this target is exploitable.”

“They do not deploy malware. They do not exfiltrate data. They verify access,” Greynoise researchers noted. “This is consistent with initial access operations that verify exploitability first and deploy follow-on tooling later.”

CVE-2026-1281 exploitation picks up steam

Ivanti disclosed CVE-2026-1281 and CVE-2026-1340, two code injection vulnerabilities in its Endpoint Manager Mobile solution, on January 29, 2026, and said that they were aware of in-the-wild exploitation. CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog on the same day.

The company provided a temporary fix for the flaws (and fixed them with a patch and security updates on February 4), but on January 30, watchTowr researchers released their analysis of one of the patches.

It was revealed last week that the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) have had their EPMM instances breached on or before January 29, likely via CVE-2026-1281, and that the European Commission’s mobile device management platform was hacked (though the solution remains unnamed).

Another confirmed victim is Valtori, Finland’s central government ICT service center.

Ivanti, with the help of the Dutch National Cyber Security Center (NCSC-NL) has released a detection script to help customers find evidence of exploitation in their Ivanti EPMM environment. NCSC-NL warned that all organizations using Ivanti EPMM should assume they’ve been compromised and mount a forensic investigation to check.

Defused Cyber has shared log indicators and indicators of compromise and has advised organizations to patch their Ivanti EPMM instance, restart application servers to flush in-memory implants, and review access logs with the provided indicators.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!