Security researchers reported that a large-scale cyber campaign is targeting systems running Ivanti Endpoint Manager Mobile (EPMM), a widely used mobile device management platform, after the disclosure of two critical zero-day vulnerabilities. Attackers are scanning the internet with tens of thousands of IP addresses to identify and exploit unpatched instances of the software.
Ivanti disclosed the vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, on January 29, 2026. Both carry severe scores that reflect the risk of remote, unauthenticated code execution on affected servers. Proof-of-concept exploits were made public immediately after the disclosure, prompting a rapid increase in scanning and exploitation attempts by multiple threat actors.
Threat monitoring data show that on some days, attackers amassed more than 28,000 distinct IP addresses probing for vulnerable EPMM installations, with more than 39,000 connections logged against a single honeypot used to measure malicious activity. By comparison, other high-profile vulnerabilities typically attract scans from far fewer sources.
Security organisations have identified hundreds of internet-exposed EPMM systems in Germany, the United States, the United Kingdom, Switzerland, Hong Kong, China, France, Spain, the Netherlands, and Sweden. Many more installations exist behind corporate firewalls, where they should be shielded from direct internet access.
Separate reports indicate that the vulnerabilities have been linked to confirmed breaches of government systems in Europe. The European Commission said it detected and contained a cyberattack on infrastructure responsible for managing staff mobile devices that may have allowed access to limited personal information. Similar attacks against government agencies in Finland and the Netherlands have been attributed to the exploitation of the same flaws.
Ivanti advised customers and administrators to apply emergency patches and released guidance and tools to help assess potential exploitation. Patches became available shortly after the flaws were disclosed, and the company has encouraged organisations to update affected systems immediately to prevent compromise.
Experts said the rapid emergence of mass exploitation after public disclosure underscores the risks associated with zero-day vulnerabilities in widely deployed management software. EPMM systems are used to enforce security policies, manage employee devices, and deliver applications across iOS, Android, and Windows environments. If an attacker gains control of such systems, they can potentially access sensitive corporate data and deploy malicious code unnoticed.
Researchers warn that unpatched instances remain exposed and that continued scanning by malicious actors is likely unless administrators secure their networks and apply the latest updates. The campaign highlights broader security challenges for organisations that depend on device management platforms for operational continuity and data protection.