Ivanti EPMM ‘Sleeper Shells’ not so sleepy?

NVISO investigated a compromise of Ivanti Endpoint Manager Mobile (EPMM) following disclosure of two RCE vulnerabilities (CVE-2026-1281 & CVE-2026-1340). Attackers dropped a webshell at /mifs/403.jsp and used base64-encoded Java class payloads to run hardcoded shell commands that created a MySQL dump and tar archives of local files (written into web-accessible paths) and then cleaned up artifacts, with multiple requests observed between 3–11 February 2026; NVISO recommends checking EPMM instances for compromise and remediation steps including credential resets and rebuilds if infected.