On January 29th 2026, watchTowr Instinct flagged an Ivanti advisory that included emergency patches for two unauthenticated remote code execution vulnerabilities in their Endpoint Manager Mobile (EPMM) product.
At the time of the advisory release, Ivanti stated that a limited number of their customers had already been compromised, in what seems to have been a highly targeted attack.
Shortly after Ivanti’s advisory was released the vulnerabilities were included in CISA’s KEV catalog.
The watchTowr Intel team immediately began to monitor our Attacker Eye global honeypot network for any signs of the vulnerability being exploited in the wild. watchTowr Intel exists to determine which new vulnerabilities will see real-world exploitation at scale, identify in-the-wild exploitation and monitor threat actor activity.
What the Vulnerability Is, Briefly
These two vulnerabilities affect Internet-exposed instances of Ivanti EPMM and enable unauthenticated remote code execution.
Ivanti products often sit at the network edge and maintain access to sensitive data and downstream systems, making them high-value targets for attackers. Ivanti products have also been repeatedly targeted in prior exploitation campaigns, reinforcing their operational attractiveness to threat actors.
Immediate patching is essential, along with a focused review for indicators of compromise.
– Both vulnerabilities are unauthenticated code injection flaws (CVE-2026-1281 & VE-2026-1340)
– CVSS score: 9.8 for both vulnerabilities
– Limited active in the wild exploitation confirmed by Ivanti at time of disclosure
– Allow remote attackers to execute arbitrary commands without credentials
– Affect Internet-exposed EPMM instances
– Can be exploited via specific application endpoints, appstore and aftstore , associated with app distribution services
No authentication nor user interaction is required for exploitation.
What watchTowr Intel Uncovered
The vulnerability was first identified and prioritized by watchTowr Instinct, triggering enhanced monitoring by the watchTowr Intel team across Attacker Eye, our global honeypot network.
By the 31st January, Attacker Eye had captured material amounts of exploitation evidence including various post exploitation artifacts.
The watchTowr Intel team confirmed:
– Attackers validated remote code execution against exposed systems
– External callback infrastructure was used to confirm successful compromise
– Activity escalated from testing to persistent backdoor deployment within hours
– Attackers established remote control capability on compromised systems
– Post-compromise activity indicated attempts to verify elevated privileges
Telemetry confirmed that:
– Internet-exposed systems were actively targeted
– Exploitation moved rapidly from validation to persistence
– The highest concentration of activity targeted Attacker Eye sensors presenting as U.S. based infrastructure
Exploitation Details
Attacker Eye captured the backdoors and web shells deployed by threat actors, enabling watchTowr Intel to proactively hunt across client environments for indicators of compromise and validated exposure.
The initial payload used a timing-based command execution technique (sleep 5) to confirm remote code execution. Multiple follow-up requests were issued to validate successful execution and eliminate false positives.
Within minutes, additional activity from a separate IP leveraged an out-of-band callback technique to confirm outbound connectivity from the compromised host.
Approximately one hour later, activity shifted from validation to active compromise.
We observed:
– Direct command execution attempts writing output to web-accessible locations (403.jsp)
– Creation of temporary staging files named .1
– Incremental assembly of a hex-encoded payload
– Decoding of that payload into a deployed JSP web shell to 401.jsp
– Cleanup of staging artifacts
– Attempts to set the SUID bit on /bin/sh, indicating privilege validation
The sequence reflects a structured post-exploitation workflow: validate execution, establish persistence, confirm privilege level.
Decoded payload analysis confirmed deployment of the Behinder web shell using the default encryption key 45e329feb5d925b.
What Security Teams Need to Do
This is an executive exposure decision, not a technical tuning exercise.
Security leaders must answer one question immediately:
Could an attacker reach a vulnerable Ivanti EPMM system from the Internet?
Directional actions:
– Identify all externally exposed Ivanti EPMM instances
– Apply vendor patches for CVE-2026-1281 and CVE-2026-1340
– Validate whether affected endpoints are accessible without authentication
– Treat Internet exposure as active risk while exploitation continues
Speed determines outcome when exploitation begins before remediation cycles complete.
If you operate Ivanti EPMM, and need urgent support to understand your exposure across your attack surface, please reach out via the watchTowr website or through any of our trusted and authorized partners.
Request a demo to see how the watchTowr Platform delivers what no one else can: time to respond.
