Security researchers will begin scanning Internet-connected appliances. This will complicate the detection of “real” exploitation attempts.
The warning is signed by Ivanti. It targets users of the EPMM solution (Endpoint Manager Mobile; formerly MobileIron Core). In the background, the discovery of two critical vulnerabilities. One (CVE-2026-1281) affects the internal app distribution feature. The other (CVE-2026-1340) concerns the Android file-transfer configuration. They share the same severity score (9.8) — and the same potential consequence: remote code execution without authentication.
Ivanti disclosed their existence on January 29, accompanying its bulletin with a patch. The vendor stated that a “very limited number of customers” had been affected. Shortly after, a PoC appeared.
“Treat every system as compromised”
The Dutch National Cyber Security Centre (NCSC-NL) monitors the case closely. Over the days, it has grown more alarmist.
On February 2, the agency noted that CVE-2026-1281 was actively being exploited. It urged EPMM users to apply the fix, noting that the patch alone might be insufficient in case of compromise.
Two days later, the NCSC-NL admitted that exploitation was “far more widespread than people thought.” It simply urged to treat every system as compromised. And thus to change all account passwords, rotate private keys, and monitor internal traffic.
In its latest update, dated February 9, it explains having identified several organizations exploiting the vulnerability in question. It permits exfiltration of the MIFS (MobileIron File Service) database. And thus to retrieve information on registered devices. Notably IMEI, phone numbers and SIM details. But also LDAP users and access tokens and Office 365 credentials.
Restore backups… or not
Meanwhile, the NCSC-NL contributed to the development of an intrusion-detection script. Ivanti released it on February 6, alongside IoCs and defense measures.
On instances affected before disclosure of the vulnerabilities, investigators found malicious files in the root directory, as well as in /tmp and /var/tmp. Often one or two characters, without extension, sometimes compressed with 7z/LMZA2. The favicon was also targeted to inject a webshell.
After disclosure, techniques diversified to such an extent that it is difficult to categorize them into a single IoC list. Ivanti did observe a pattern of creating files that resemble HTTP error pages — for example, 401.jsp — to host webshells.
As of February 6, the vendor recommended two options in case of compromise: either restore from backups or VM snapshots, or build a new environment and migrate the data. It also advised changing the password for every local account and replacing the public certificate used for the EPMM.
From the NCSC-NL side, restoration is discouraged, on the grounds that backups may be compromised, especially if the detection script yields results…
The European Commission, a probable victim
The patch does not cause downtime, but it does not survive a version jump. Ivanti promises to integrate it into the next EPMM release, scheduled “in Q1 2026.”
The European Commission did not state it was among the victims. But on February 6, it lamented the compromise of the central infrastructure used to manage its mobile endpoints. An attack is believed to have occurred on January 30. Contained “within 9 hours,” it could have given access to names and phone numbers.
