Ivanti customers, including major government agencies, face mounting pressure as attackers expand their scope of targets to exploit a pair of vulnerabilities the vendor disclosed last week after in-the-wild attacks already occurred.
The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary confirmed both agencies were impacted by attacks linked to the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities, according to a notice sent to the country’s parliament Friday. The European Commission also said it found evidence of a cyberattack on its “central infrastructure managing mobile devices,” but it did not identify the vendor in a statement Thursday.
The attacks were publicly disclosed as researchers and threat hunters scrambled to assess the fallout and observed consistent waves of attacks linked to the Ivanti defects. As of Monday afternoon, Shadowserver scans identified 86 compromised instances based on artifacts of exploitation, Piotr Kijewski, CEO of the nonprofit, told CyberScoop.
Researchers last week warned that attacks involving the Ivanti zero-days would spread, repeating a common pattern following the vendor’s disclosure and a third party’s release of exploit code. The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti EPMM.
Ivanti said a “very limited number of customers” were exploited before it disclosed the defects in a Jan. 29 security advisory, but has declined multiple requests to provide an updated victim count.
The company released indicators of compromise and a detection script Friday to help customers hunt for potential impact, and thanked The Netherlands’ National Cyber Security Centre for contributing to the script’s development. “We are collaborating closely with our customers as well as trusted government and security partners,” a spokesperson for Ivanti said in a statement.
Attackers of various intents and origins are still compromising additional Ivanti EPMM instances, Kijewski said. Shadowserver is using initial artifacts provided by Saudi Arabia’s National Cybersecurity Authority to scan for webshells and other signs of exploitation, including system commands.
“These artifacts are likely not linked to the initial threat actor targeting the vulnerability. It is likely, however, these instances were compromised by multiple actors by now,” Kijewski said. “More is happening than what we are able to observe.”
Nearly 1,300 instances of Ivanti EPMM are still exposed to the internet, but it’s unknown how many of those are vulnerable or already compromised, according to Shadowserver.
Other researchers that have been tracking the vulnerabilities have also found evidence of heightened malicious activity targeting potential victims.
During a 24-hour period, Rapid7’s Ivanti EPMM honeypot “recorded hundreds of inbound traffic connections from more than 130 unique IP addresses, with 58% directly attempting exploitation of the latest Ivanti EPMM vulnerabilities,” said Christiaan Beek, the company’s senior director of threat intelligence and analytics.
Beek emphasized that the dominant payloads observed by Rapid7’s honeypot were not attributed to researchers, but rather built to gain rapid control via reverse shells, webshell deployment attempts and automated payload droppers.
Ivanti has thus far declined to say when and how it first became aware of the vulnerabilities or when the first known date of exploitation occurred.
Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large.
The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years.
The post Fallout from latest Ivanti zero-days spreads to nearly 100 victims appeared first on CyberScoop.
–
Read More – CyberScoop
