Critical Vulnerabilities in Ivanti EPMM Exploited

Two critical, actively exploited zero-day remote code execution vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340) allow unauthenticated attackers to execute arbitrary commands on MDM servers; Unit 42 observed automated scans and widespread exploitation that resulted in reverse shells, JSP web shells, cryptominers, and installation of Nezha monitoring agents across multiple sectors and countries, provided Indicators of Compromise and XQL detection queries, and urged immediate patching (Ivanti RPM 12.x.0.x or 12.x.1.x) and incident response engagement.