INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Ivanti EPMM Zero-Day Exploit Frenzy
| 2026-02-17 20:35 CRITICAL HIGHExecutive Summary AI-generated
The threat landscape is rapidly evolving, with two critical zero-day vulnerabilities - CVE-2026-1281 and CVE-2026-1340 - being actively exploited in the wild. Ivanti Endpoint Manager Mobile (EPMM) is a highly targeted sector, with enterprise mobile fleets and corporate networks bearing the brunt of these attacks. The U.S. Cybersecurity and Infrastructure Security Agency has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the need for swift action from organizations worldwide. Palo Alto Networks customers are advised to take immediate measures to protect themselves against these exploits, including implementing patches and referring to Ivanti's security advisory. The threat actors' accelerated operations highlight the importance of vigilance and proactive defense in maintaining a robust cybersecurity posture.
Technical Mitigations AI-generated
* Apply the latest version of Ivanti EPMM: Ensure that your enterprise mobile fleets and corporate networks use the most up-to-date RPM versions (e.g., RPM 12.x.0.x or RPM 12.x.1.x) to patch CVE-2026-1281 and CVE-2026-1340 vulnerabilities.
* Implement a secure file system access mechanism: Use a secure file system access mechanism, such as encrypted storage or secure containerization (e.g., Docker), to protect mobile device management (MDM) infrastructure from unauthorized access.
* Monitor for suspicious activity and implement incident response plans: Establish an incident response plan that includes monitoring for suspicious activity, such as unusual login attempts or changes in MDM configuration. Engage with a security expert or Unit 42 Incident Response team if you suspect a compromise.
* Regularly update and patch software components: Regularly update and patch all software components, including Apache web servers, to ensure that known vulnerabilities are addressed before they can be exploited by attackers.
* Use secure communication protocols (e.g., HTTPS): Ensure that mobile device management infrastructure is communicating securely over the internet using HTTPS. This will help prevent man-in-the-middle attacks and protect sensitive data in transit.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
SparkSpark
CVE-2026-1281CVE-2026-1281
CVE-2026-1340CVE-2026-1340
CVE-2026-12821CVE-2026-12821
Target & Sectors
NORDICS
NORDICS
BENELUX
BENELUX
FIVE_EYES
FIVE_EYES
healthcarehealthcare
defensedefense
legallegal
governmentgovernment
manufacturingmanufacturing
technologytechnology
Incident Timeline
Jan. 20
Threat actors exploited critical vulnerabilities in Ivanti EPMM.
Click on any entity below to view its context and source!
infrastructure
Ivanti
Ivanti Bugs Spark Fresh Wave of Cyberattacks
On Jan. 20, the European Commission unveiled a
revised Cybersecurity Act
.
malware
Spark
Ivanti Bugs Spark Fresh Wave of Cyberattacks
On Jan. 20, the European Commission unveiled a
revised Cybersecurity Act
.
organisation
Ivanti Bugs
Ivanti Bugs Spark Fresh Wave of Cyberattacks
On Jan. 20, the European Commission unveiled a
revised Cybersecurity Act
.
organisation
the European Commission
Ivanti Bugs Spark Fresh Wave of Cyberattacks
On Jan. 20, the European Commission unveiled a
revised Cybersecurity Act
.
January 2026
The threat actors used a command to target vulnerable Ivanti EPMM servers by setting the st parameter in Apache RewriteMap configurations to the string "theValue".
Click on any entity below to view its context and source!
organisation
Ivanti
Palo Alto Networks customers are better protected from CVE-2026-1281 and CVE-2026-1340 through the following products:
Palo Alto Networks also recommends referring to
Ivanti’s security advisory
, released in January 2026.
A January 2026
Ivanti security advisory
recommends their customers apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version.
Ivanti recommends in their security advisory
to apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version.
No downtime is required to apply the patch, and Ivanti is not aware of any feature functionality impact with this patch.
Details of CVE-2026-1281
CVE-2026-1281 (CVSS 9.8) is a critical remote code execution (RCE) vulnerability in Ivanti EPMM.
The vulnerable component in Ivanti EPMM uses Apache RewriteMap configurations that point to bash scripts located at
/mi/bin/map-appstore-url
.
Details of CVE-2026-1340
CVE-2026-1340 (CVSS 9.8) impacts the Ivanti Android File Transfer mechanism.
We have seen the following command to target vulnerable Ivanti EPMM servers via the following URL pattern shown below in Figure 1.
Format of command targeting vulnerable Ivanti EPMM servers.
In some instances, attackers attempted to bypass authentication on Ivanti's MobileIron platform and immediately download and run a second-stage payload (the
/slt
script).
Ivanti’s recommendation remains the same: Customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching.
Ivanti has provided customers with high‑fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC‑NL, and continues to support customers as they respond to this threat.
If Ivanti EPMM logs are being ingested into Cortex XDR or XSIAM, the following query can be used to identify signs of exploitation.
This query identifies HTTP(S) requests logged within Ivanti EPMM (Formerly MobileIron) logs that match exploitation URI parameters.
|
dataset
=
<
ENTER_DATASET_NAME_FOR_IVANTI_EPMM
>
|
fields
_time
,
_raw_log
,
_reporting_device_ip
,
_broker_hostname
|
alter
log_type
=
arrayindex
(
regextract
(
_raw_log
,
"^[^\+]+\+\d{2}:\d{2}\s[^\s]+\s([^\s]+)\s"
)
,
0
)
|
filter
log_type
in
(
"https_request"
,
"https_access"
,
"http_request"
,
"https_access"
)
|
alter
EPMM_Version
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=([^,]+)"
)
,
0
)
,
HTTP_Request_src_ip
=
if
(
log_type
in
(
"https_request"
,
"http_request"
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),[^\s]+\s([^\s]+)"
)
,
0
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),([^:]+)"
)
,
0
)
)
,
HTTP_Method
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(GET|POST|PUT)"
)
,
0
)
,
HTTP_Request_URI
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+([^\"]+)"
)
,
0
)
,
HTTP_response_Code
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^\"]+)\"\s+([1-5]\d\d)"
)
,
0
)
,
Attempted_command_execution
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"
)
,
0
)
|
filter
HTTP_Request_URI
~
=
"\/mifs\/c\/(?:app|aft)store\/fob"
AND
HTTP_Request_URI
~
=
"\=gPath"
|
fields
_time
,
log_type
,
EPMM_Version
,
HTTP_Request_src_ip
,
HTTP_Method
,
HTTP_Request_URI
,
HTTP_response_Code
,
Attempted_command_execution
|
sort
asc
_time
// Description: This query identifies HTTP(S) requests logged by NGFW that match Ivanti EPMM exploitation URI parameters.
Cortex Xpanse
Cortex Xpanse
has the ability to identify exposed Ivanti EPMM devices on the public internet and escalate these findings to defenders.
Customers can enable alerting on this risk by ensuring that they’ve enabled the Ivanti Endpoint Manager Mobile (MobileIron Core) Attack Surface Rule.
vulnerability
CVE-2026-1281
Palo Alto Networks customers are better protected from CVE-2026-1281 and CVE-2026-1340 through the following products:
Palo Alto Networks also recommends referring to
Ivanti’s security advisory
, released in January 2026.
vulnerability
CVE-2026-1340
Palo Alto Networks customers are better protected from CVE-2026-1281 and CVE-2026-1340 through the following products:
Palo Alto Networks also recommends referring to
Ivanti’s security advisory
, released in January 2026.
organisation
CVE-2026
Palo Alto Networks customers are better protected from CVE-2026-1281 and CVE-2026-1340 through the following products:
Palo Alto Networks also recommends referring to
Ivanti’s security advisory
, released in January 2026.
organisation
Palo Alto Networks
Palo Alto Networks customers are better protected from CVE-2026-1281 and CVE-2026-1340 through the following products:
Palo Alto Networks also recommends referring to
Ivanti’s security advisory
, released in January 2026.
organisation
Gitee
They downloaded this tool with specific parameters to fetch from Gitee if the victim’s location is China, ensuring the largest possible victim base irrespective of location.
organisation
Cortex XDR
Unit 42 Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit these CVEs across our customers, using Cortex XDR and the XQL queries below.
organisation
XQL
Unit 42 Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit these CVEs across our customers, using Cortex XDR and the XQL queries below.
organisation
Nezha
Botnet Activity
We observed attackers downloading a Nezha monitoring agent, an open-source server monitoring utility.
organisation
RPM 12.x.1.x
Ivanti recommends in their security advisory
to apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version.
infrastructure
9.8
Details of CVE-2026-1281
CVE-2026-1281 (CVSS 9.8) is a critical remote code execution (RCE) vulnerability in Ivanti EPMM.
infrastructure
Android
Details of CVE-2026-1340
CVE-2026-1340 (CVSS 9.8) impacts the Ivanti Android File Transfer mechanism.
organisation
the Ivanti Android File Transfer
Details of CVE-2026-1340
CVE-2026-1340 (CVSS 9.8) impacts the Ivanti Android File Transfer mechanism.
organisation
NCSC‑NL
Ivanti has provided customers with high‑fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC‑NL, and continues to support customers as they respond to this threat.
organisation
NGFW
|
dataset
=
<
ENTER_DATASET_NAME_FOR_IVANTI_EPMM
>
|
fields
_time
,
_raw_log
,
_reporting_device_ip
,
_broker_hostname
|
alter
log_type
=
arrayindex
(
regextract
(
_raw_log
,
"^[^\+]+\+\d{2}:\d{2}\s[^\s]+\s([^\s]+)\s"
)
,
0
)
|
filter
log_type
in
(
"https_request"
,
"https_access"
,
"http_request"
,
"https_access"
)
|
alter
EPMM_Version
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=([^,]+)"
)
,
0
)
,
HTTP_Request_src_ip
=
if
(
log_type
in
(
"https_request"
,
"http_request"
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),[^\s]+\s([^\s]+)"
)
,
0
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),([^:]+)"
)
,
0
)
)
,
HTTP_Method
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(GET|POST|PUT)"
)
,
0
)
,
HTTP_Request_URI
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+([^\"]+)"
)
,
0
)
,
HTTP_response_Code
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^\"]+)\"\s+([1-5]\d\d)"
)
,
0
)
,
Attempted_command_execution
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"
)
,
0
)
|
filter
HTTP_Request_URI
~
=
"\/mifs\/c\/(?:app|aft)store\/fob"
AND
HTTP_Request_URI
~
=
"\=gPath"
|
fields
_time
,
log_type
,
EPMM_Version
,
HTTP_Request_src_ip
,
HTTP_Method
,
HTTP_Request_URI
,
HTTP_response_Code
,
Attempted_command_execution
|
sort
asc
_time
// Description: This query identifies HTTP(S) requests logged by NGFW that match Ivanti EPMM exploitation URI parameters.
data_breach
0 dataset
|
dataset
=
<
ENTER_DATASET_NAME_FOR_IVANTI_EPMM
>
|
fields
_time
,
_raw_log
,
_reporting_device_ip
,
_broker_hostname
|
alter
log_type
=
arrayindex
(
regextract
(
_raw_log
,
"^[^\+]+\+\d{2}:\d{2}\s[^\s]+\s([^\s]+)\s"
)
,
0
)
|
filter
log_type
in
(
"https_request"
,
"https_access"
,
"http_request"
,
"https_access"
)
|
alter
EPMM_Version
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=([^,]+)"
)
,
0
)
,
HTTP_Request_src_ip
=
if
(
log_type
in
(
"https_request"
,
"http_request"
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),[^\s]+\s([^\s]+)"
)
,
0
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),([^:]+)"
)
,
0
)
)
,
HTTP_Method
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(GET|POST|PUT)"
)
,
0
)
,
HTTP_Request_URI
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+([^\"]+)"
)
,
0
)
,
HTTP_response_Code
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^\"]+)\"\s+([1-5]\d\d)"
)
,
0
)
,
Attempted_command_execution
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"
)
,
0
)
|
filter
HTTP_Request_URI
~
=
"\/mifs\/c\/(?:app|aft)store\/fob"
AND
HTTP_Request_URI
~
=
"\=gPath"
|
fields
_time
,
log_type
,
EPMM_Version
,
HTTP_Request_src_ip
,
HTTP_Method
,
HTTP_Request_URI
,
HTTP_response_Code
,
Attempted_command_execution
|
sort
asc
_time
// Description: This query identifies HTTP(S) requests logged by NGFW that match Ivanti EPMM exploitation URI parameters.
organisation
Current Scope of the Exploitation
Unit
Current Scope of the Exploitation
Unit 42 has observed widespread and mostly automated exploitation attempts of CVE-2026-1281 and CVE-2026-1340.
organisation
JSP
Web Shell Activity
We observed threat actors attempt to install a lightweight JSP web shell with names like
401.jsp
,
403.jsp
and
1.jsp
at filepath
/mi/tomcat/webapps/mifs/
across various intended targets.
organisation
the In-House Application Distribution
These scripts are designed to process URLs for the In-House Application Distribution feature.
organisation
theValue
Variable pointing
: The attacker sets the
st
parameter to the string
theValue
(padded with spaces to meet length requirements).
organisation
RCE
If the connection hangs for exactly five seconds before returning an error (e.g., a 404 error), the attacker knows they have achieved RCE and will follow up immediately with malicious payloads.
organisation
POC
Applying the patch is the most effective way to prevent exploitation, regardless of how IOCs change over time, especially once a POC is available.
organisation
EPMM Version
The EPMM Version number is also extracted (as EPMM_Version) to provide additional context for security teams to identify if their software version is vulnerable.
organisation
Cyber Threat Alliance
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members.
organisation
CTA
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members.
organisation
Threat Prevention
Next-Generation Firewalls With Advanced Threat Prevention
Next-Generation Firewall
with the
Advanced Threat Prevention
security subscription can help block the attacks via the following Threat Prevention signature:
96919
.
organisation
Cloud-Delivered Security Services
Cloud-Delivered Security Services for the Next-Generation Firewall
Advanced URL Filtering
and
Advanced DNS Security
identify known domains and URLs associated with this activity as malicious.
organisation
DNS Security
Cloud-Delivered Security Services for the Next-Generation Firewall
Advanced URL Filtering
and
Advanced DNS Security
identify known domains and URLs associated with this activity as malicious.
organisation
Expander
Identified findings can be viewed in the incident view of Expander.
organisation
Cortex XSIAM
These findings are also available for Cortex XSIAM customers who have purchased the ASM module.
organisation
ASM
These findings are also available for Cortex XSIAM customers who have purchased the ASM module.
infrastructure
30 //Description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//Description:
infrastructure
31 //Description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//Description:
infrastructure
32 //Description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//Description:
Jan. 29
Valtori exploited a vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach the company.
Click on any entity below to view its context and source!
organisation
Ivanti
On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, and released a
temporary patch
to cover them.
organisation
EPMM
On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, and released a
temporary patch
to cover them.
organisation
Endpoint
On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, and released a
temporary patch
to cover them.
Jan. 30
ClickFix Attacks Abuses exploited critical vulnerabilities in Ivanti EPMM.
Click on any entity below to view its context and source!
organisation
ClickFix Attacks Abuses
Related:
ClickFix Attacks Abuses DNS Lookup Command to Deliver ModeloRAT
On Jan. 30, the European Commission fell victim to a cyberattack against its "
central infrastructure managing mobile devices
."
Feb. 5
Valtori disclosed its incident on February 5.
Click on any entity below to view its context and source!
organisation
Valtori
Both Valtori and the European Commission disclosed their incidents on Feb. 5.
Feb. 6
Threat actors exploited critical vulnerabilities in Ivanti EPMM and targeted the Dutch Data Protection Authority (AP) and Council for the Judiciary (Rvdr.
Click on any entity below to view its context and source!
industry
Government
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
infrastructure
Ivanti
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
target_region
Netherlands
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
attribution
the Dutch Data Protection Authority
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
attribution
AP
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
attribution
the Council for the Judiciary (Rvdr
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
around Feb. 9
Shadowserver tracked another more voluminous wave of attempted attacks against Ivanti EPMM around February 9.
Click on any entity below to view its context and source!
infrastructure
Ivanti
Related:
Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense
Following what appeared like a coordinated campaign against European governments, Shadowserver tracked another more voluminous
wave of attempted attacks
against Ivanti EPMM, concentrated around Feb. 9.
tactic
T1588.001 - Malware
Related:
Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense
Following what appeared like a coordinated campaign against European governments, Shadowserver tracked another more voluminous
wave of attempted attacks
against Ivanti EPMM, concentrated around Feb. 9.
industry
Defense
Related:
Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense
Following what appeared like a coordinated campaign against European governments, Shadowserver tracked another more voluminous
wave of attempted attacks
against Ivanti EPMM, concentrated around Feb. 9.
organisation
Shadowserver
Related:
Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense
Following what appeared like a coordinated campaign against European governments, Shadowserver tracked another more voluminous
wave of attempted attacks
against Ivanti EPMM, concentrated around Feb. 9.
Feb. 12
Ivanti's IP address is still active on Feb. 12, indicating potential ongoing exposure to the exploited vulnerabilities.
Click on any entity below to view its context and source!
infrastructure
Ivanti
Greynoise informed Dark Reading that as of the time of publication, Feb. 12, that IP address was "still active in general.”
What to Do About Ivanti Cyber Risk
Feb. 13
Threat actors exploited critical vulnerabilities in Ivanti EPMM to target the European Commission.
Click on any entity below to view its context and source!
industry
Government
"
This story was updated at 8:30 a.m. ET on Feb. 13 to reflect a statement from Ivanti, the names of two Dutch government agencies, and confirmation that Ivanti EPMM was the target in the attacks against the European Commission.
infrastructure
Ivanti
"
This story was updated at 8:30 a.m. ET on Feb. 13 to reflect a statement from Ivanti, the names of two Dutch government agencies, and confirmation that Ivanti EPMM was the target in the attacks against the European Commission.
target_region
Netherlands
"
This story was updated at 8:30 a.m. ET on Feb. 13 to reflect a statement from Ivanti, the names of two Dutch government agencies, and confirmation that Ivanti EPMM was the target in the attacks against the European Commission.
2026-02-17
Threat actors are exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to target enterprise mobile fleets and corporate networks.
Click on any entity below to view its context and source!
infrastructure
Ivanti
Critical Vulnerabilities in Ivanti EPMM Exploited.
Executive Summary
Two critical zero-day vulnerabilities (
CVE-2026-1281
and
CVE-2026-1340
) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks.
Replace <ENTER_DATASET_NAME_FOR_IVANTI_EPMM> with the actual name of your Ivanti EPMM syslog dataset.
Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again.
Related:
Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto
Perhaps the public warning lit a fire under the threat actors who'd discovered CVE-2026-1281 and CVE-2026-1340 before Ivanti did.
Consider, for instance, a perfectly legitimate company like Ivanti.
Over
and
over again
,
foreign attackers
find and
exploit
critical zero-day vulnerabilities in
Ivanti products
.
Researchers at Greynoise found that none of the indicators of compromise (IoCs) published by Ivanti itself actually aligned with this spike in exploitation, tracing 83% of it to a
single IP address from a bulletproof hosting service
instead.
In practice, organizations appear to be either unable or unwilling to do all that, as evidenced by how often even capable, well-resourced, and
highly sensitive organizations fall victim to Ivanti attackers
.
Which raises the question: If your parachute reliably failed once every few months or so, you probably wouldn't go skydiving with it, so why do high-level organizations continue to rely on Ivanti?
Part of the reason, says Benjamin Harris, CEO of watchTowr, is that "Ripping out tech like Ivanti isn't as easy as it sounds.
"
An Ivanti spokesperson provided the following statement to Dark Reading:
"Ivanti's recommendation remains the same: customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching.
Ivanti has provided customers with high fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC NL, and continues to support customers as we respond to this threat.
organisation
Ivanti Endpoint
Executive Summary
Two critical zero-day vulnerabilities (
CVE-2026-1281
and
CVE-2026-1340
) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks.
organisation
EPMM
Executive Summary
Two critical zero-day vulnerabilities (
CVE-2026-1281
and
CVE-2026-1340
) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks.
organisation
Scam Abuses Gemini Chatbots
Related:
Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto
Perhaps the public warning lit a fire under the threat actors who'd discovered CVE-2026-1281 and CVE-2026-1340 before Ivanti did.
organisation
IP
Researchers at Greynoise found that none of the indicators of compromise (IoCs) published by Ivanti itself actually aligned with this spike in exploitation, tracing 83% of it to a
single IP address from a bulletproof hosting service
instead.
organisation
CVE-2026
Deemed CVE-2026-1281 and CVE-2026-1340, the issues were similar in nature, both allowing for remote code execution (RCE), both assigned 9.8 out of 10 scores on the Common Vulnerability Scoring System (CVSS) scale.
organisation
the Common Vulnerability Scoring System
Deemed CVE-2026-1281 and CVE-2026-1340, the issues were similar in nature, both allowing for remote code execution (RCE), both assigned 9.8 out of 10 scores on the Common Vulnerability Scoring System (CVSS) scale.
organisation
CVSS
Deemed CVE-2026-1281 and CVE-2026-1340, the issues were similar in nature, both allowing for remote code execution (RCE), both assigned 9.8 out of 10 scores on the Common Vulnerability Scoring System (CVSS) scale.
organisation
MDM
These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials.
organisation
Cortex Xpanse
Palo Alto Networks
Cortex Xpanse
has identified the presence of over 4,400 EPMM instances in our telemetry.
organisation
POC
That same day, researchers at watchTowr publicly described a
proof-of-concept (PoC) exploit
.
organisation
SonicWall
Attacks against edge devices have been steadily
ramping up for nearly three years
, tripping up multiple vendors in the process:
Fortinet has endured a number attacks
against its products; SonicWall's edge devices
contended with zero-days
; and
WatchGuard's firewall was hit
more recently with a zero-day.
organisation
WatchGuard
Attacks against edge devices have been steadily
ramping up for nearly three years
, tripping up multiple vendors in the process:
Fortinet has endured a number attacks
against its products; SonicWall's edge devices
contended with zero-days
; and
WatchGuard's firewall was hit
more recently with a zero-day.
victims
40,000 client base
They are deeply embedded across their 40,000 enterprise client base, providing remote access, mobile device management, patching, endpoint management, and other solutions.
Feb. 23, 2026
Threat actors exploited critical vulnerabilities in Ivanti EPMM.
Click on any entity below to view its context and source!
observable
403.jsp
[subdomain].gobygo[.]net
[subdomain].introo[.]sh
[subdomain].ngrok-free[.]app
[subdomain].main[.]interacth3[.]io
[subdomain].ddns[.]1433[.]eu[.]org
[subdomain].oast[.]live
[subdomain].oast[.]me
[subdomain].oast[.]site
[subdomain].eyes[.]sh
[subdomain].requestrepo[.]com
[subdomain].ceye[.]io
interact[.].gateway[.]horizon3ai[.]com
hxxp://152[.]32[.]173[.]138/U26d86f1899513347.5b5b0c1b
hxxp://64[.]7[.]199[.]177:18899
zeetcckhtudizieudqyck5o4ez16y973h[.]oast[.]fun/
hxxp://152[.]32[.]173[.]138/U5213b63dda61af48.0F3Ab3D3
hxps://e598292a5fbd[.]ngrok-free[.]app/
/mi/tomcat/webapps/mifs/401.jsp
/mi/tomcat/webapps/mifs/403.jsp
/mi/tomcat/webapps/mifs/1.jsp
agent[.]sh
/mi/tomcat/webapps/mifs/css/test.css
/mi/tomcat/webapps/mifs/css/poc.css
/mi/tomcat/webapps/mifs/css/cssaaa.css
/mi/tomcat/webapps/mifs/css/login.css
Updated Feb. 23, 2026 at 9:45 a.m. PT to update Indicators of Compromise section.
observable
401.jsp
[subdomain].gobygo[.]net
[subdomain].introo[.]sh
[subdomain].ngrok-free[.]app
[subdomain].main[.]interacth3[.]io
[subdomain].ddns[.]1433[.]eu[.]org
[subdomain].oast[.]live
[subdomain].oast[.]me
[subdomain].oast[.]site
[subdomain].eyes[.]sh
[subdomain].requestrepo[.]com
[subdomain].ceye[.]io
interact[.].gateway[.]horizon3ai[.]com
hxxp://152[.]32[.]173[.]138/U26d86f1899513347.5b5b0c1b
hxxp://64[.]7[.]199[.]177:18899
zeetcckhtudizieudqyck5o4ez16y973h[.]oast[.]fun/
hxxp://152[.]32[.]173[.]138/U5213b63dda61af48.0F3Ab3D3
hxps://e598292a5fbd[.]ngrok-free[.]app/
/mi/tomcat/webapps/mifs/401.jsp
/mi/tomcat/webapps/mifs/403.jsp
/mi/tomcat/webapps/mifs/1.jsp
agent[.]sh
/mi/tomcat/webapps/mifs/css/test.css
/mi/tomcat/webapps/mifs/css/poc.css
/mi/tomcat/webapps/mifs/css/cssaaa.css
/mi/tomcat/webapps/mifs/css/login.css
Updated Feb. 23, 2026 at 9:45 a.m. PT to update Indicators of Compromise section.
observable
1.jsp
[subdomain].gobygo[.]net
[subdomain].introo[.]sh
[subdomain].ngrok-free[.]app
[subdomain].main[.]interacth3[.]io
[subdomain].ddns[.]1433[.]eu[.]org
[subdomain].oast[.]live
[subdomain].oast[.]me
[subdomain].oast[.]site
[subdomain].eyes[.]sh
[subdomain].requestrepo[.]com
[subdomain].ceye[.]io
interact[.].gateway[.]horizon3ai[.]com
hxxp://152[.]32[.]173[.]138/U26d86f1899513347.5b5b0c1b
hxxp://64[.]7[.]199[.]177:18899
zeetcckhtudizieudqyck5o4ez16y973h[.]oast[.]fun/
hxxp://152[.]32[.]173[.]138/U5213b63dda61af48.0F3Ab3D3
hxps://e598292a5fbd[.]ngrok-free[.]app/
/mi/tomcat/webapps/mifs/401.jsp
/mi/tomcat/webapps/mifs/403.jsp
/mi/tomcat/webapps/mifs/1.jsp
agent[.]sh
/mi/tomcat/webapps/mifs/css/test.css
/mi/tomcat/webapps/mifs/css/poc.css
/mi/tomcat/webapps/mifs/css/cssaaa.css
/mi/tomcat/webapps/mifs/css/login.css
Updated Feb. 23, 2026 at 9:45 a.m. PT to update Indicators of Compromise section.
observable
cssaaa.css
[subdomain].gobygo[.]net
[subdomain].introo[.]sh
[subdomain].ngrok-free[.]app
[subdomain].main[.]interacth3[.]io
[subdomain].ddns[.]1433[.]eu[.]org
[subdomain].oast[.]live
[subdomain].oast[.]me
[subdomain].oast[.]site
[subdomain].eyes[.]sh
[subdomain].requestrepo[.]com
[subdomain].ceye[.]io
interact[.].gateway[.]horizon3ai[.]com
hxxp://152[.]32[.]173[.]138/U26d86f1899513347.5b5b0c1b
hxxp://64[.]7[.]199[.]177:18899
zeetcckhtudizieudqyck5o4ez16y973h[.]oast[.]fun/
hxxp://152[.]32[.]173[.]138/U5213b63dda61af48.0F3Ab3D3
hxps://e598292a5fbd[.]ngrok-free[.]app/
/mi/tomcat/webapps/mifs/401.jsp
/mi/tomcat/webapps/mifs/403.jsp
/mi/tomcat/webapps/mifs/1.jsp
agent[.]sh
/mi/tomcat/webapps/mifs/css/test.css
/mi/tomcat/webapps/mifs/css/poc.css
/mi/tomcat/webapps/mifs/css/cssaaa.css
/mi/tomcat/webapps/mifs/css/login.css
Updated Feb. 23, 2026 at 9:45 a.m. PT to update Indicators of Compromise section.
observable
login.css
[subdomain].gobygo[.]net
[subdomain].introo[.]sh
[subdomain].ngrok-free[.]app
[subdomain].main[.]interacth3[.]io
[subdomain].ddns[.]1433[.]eu[.]org
[subdomain].oast[.]live
[subdomain].oast[.]me
[subdomain].oast[.]site
[subdomain].eyes[.]sh
[subdomain].requestrepo[.]com
[subdomain].ceye[.]io
interact[.].gateway[.]horizon3ai[.]com
hxxp://152[.]32[.]173[.]138/U26d86f1899513347.5b5b0c1b
hxxp://64[.]7[.]199[.]177:18899
zeetcckhtudizieudqyck5o4ez16y973h[.]oast[.]fun/
hxxp://152[.]32[.]173[.]138/U5213b63dda61af48.0F3Ab3D3
hxps://e598292a5fbd[.]ngrok-free[.]app/
/mi/tomcat/webapps/mifs/401.jsp
/mi/tomcat/webapps/mifs/403.jsp
/mi/tomcat/webapps/mifs/1.jsp
agent[.]sh
/mi/tomcat/webapps/mifs/css/test.css
/mi/tomcat/webapps/mifs/css/poc.css
/mi/tomcat/webapps/mifs/css/cssaaa.css
/mi/tomcat/webapps/mifs/css/login.css
Updated Feb. 23, 2026 at 9:45 a.m. PT to update Indicators of Compromise section.
observable
test.css
[subdomain].gobygo[.]net
[subdomain].introo[.]sh
[subdomain].ngrok-free[.]app
[subdomain].main[.]interacth3[.]io
[subdomain].ddns[.]1433[.]eu[.]org
[subdomain].oast[.]live
[subdomain].oast[.]me
[subdomain].oast[.]site
[subdomain].eyes[.]sh
[subdomain].requestrepo[.]com
[subdomain].ceye[.]io
interact[.].gateway[.]horizon3ai[.]com
hxxp://152[.]32[.]173[.]138/U26d86f1899513347.5b5b0c1b
hxxp://64[.]7[.]199[.]177:18899
zeetcckhtudizieudqyck5o4ez16y973h[.]oast[.]fun/
hxxp://152[.]32[.]173[.]138/U5213b63dda61af48.0F3Ab3D3
hxps://e598292a5fbd[.]ngrok-free[.]app/
/mi/tomcat/webapps/mifs/401.jsp
/mi/tomcat/webapps/mifs/403.jsp
/mi/tomcat/webapps/mifs/1.jsp
agent[.]sh
/mi/tomcat/webapps/mifs/css/test.css
/mi/tomcat/webapps/mifs/css/poc.css
/mi/tomcat/webapps/mifs/css/cssaaa.css
/mi/tomcat/webapps/mifs/css/login.css
Updated Feb. 23, 2026 at 9:45 a.m. PT to update Indicators of Compromise section.
observable
poc.css
[subdomain].gobygo[.]net
[subdomain].introo[.]sh
[subdomain].ngrok-free[.]app
[subdomain].main[.]interacth3[.]io
[subdomain].ddns[.]1433[.]eu[.]org
[subdomain].oast[.]live
[subdomain].oast[.]me
[subdomain].oast[.]site
[subdomain].eyes[.]sh
[subdomain].requestrepo[.]com
[subdomain].ceye[.]io
interact[.].gateway[.]horizon3ai[.]com
hxxp://152[.]32[.]173[.]138/U26d86f1899513347.5b5b0c1b
hxxp://64[.]7[.]199[.]177:18899
zeetcckhtudizieudqyck5o4ez16y973h[.]oast[.]fun/
hxxp://152[.]32[.]173[.]138/U5213b63dda61af48.0F3Ab3D3
hxps://e598292a5fbd[.]ngrok-free[.]app/
/mi/tomcat/webapps/mifs/401.jsp
/mi/tomcat/webapps/mifs/403.jsp
/mi/tomcat/webapps/mifs/1.jsp
agent[.]sh
/mi/tomcat/webapps/mifs/css/test.css
/mi/tomcat/webapps/mifs/css/poc.css
/mi/tomcat/webapps/mifs/css/cssaaa.css
/mi/tomcat/webapps/mifs/css/login.css
Updated Feb. 23, 2026 at 9:45 a.m. PT to update Indicators of Compromise section.
Tactical Metrics
Metrics
infrastructure
Ivanti
Affected Product
Click for context!
Critical Vulnerabilities in Ivanti EPMM Exploited.
Executive Summary
Two critical zero-day vulnerabilities (
CVE-2026-1281
and
CVE-2026-1340
) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks.
Palo Alto Networks customers are better protected from CVE-2026-1281 and CVE-2026-1340 through the following products:
Palo Alto Networks also recommends referring to
Ivanti’s security advisory
, released in January 2026.
Ivanti recommends in their security advisory
to apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version.
No downtime is required to apply the patch, and Ivanti is not aware of any feature functionality impact with this patch.
Details of CVE-2026-1281
CVE-2026-1281 (CVSS 9.8) is a critical remote code execution (RCE) vulnerability in Ivanti EPMM.
The vulnerable component in Ivanti EPMM uses Apache RewriteMap configurations that point to bash scripts located at
/mi/bin/map-appstore-url
.
Details of CVE-2026-1340
CVE-2026-1340 (CVSS 9.8) impacts the Ivanti Android File Transfer mechanism.
We have seen the following command to target vulnerable Ivanti EPMM servers via the following URL pattern shown below in Figure 1.
Format of command targeting vulnerable Ivanti EPMM servers.
In some instances, attackers attempted to bypass authentication on Ivanti's MobileIron platform and immediately download and run a second-stage payload (the
/slt
script).
A January 2026
Ivanti security advisory
recommends their customers apply either RPM 12.x.0.x or RPM 12.x.1.x, depending on their version.
Ivanti’s recommendation remains the same: Customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching.
Ivanti has provided customers with high‑fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC‑NL, and continues to support customers as they respond to this threat.
If Ivanti EPMM logs are being ingested into Cortex XDR or XSIAM, the following query can be used to identify signs of exploitation.
This query identifies HTTP(S) requests logged within Ivanti EPMM (Formerly MobileIron) logs that match exploitation URI parameters.
Replace <ENTER_DATASET_NAME_FOR_IVANTI_EPMM> with the actual name of your Ivanti EPMM syslog dataset.
|
dataset
=
<
ENTER_DATASET_NAME_FOR_IVANTI_EPMM
>
|
fields
_time
,
_raw_log
,
_reporting_device_ip
,
_broker_hostname
|
alter
log_type
=
arrayindex
(
regextract
(
_raw_log
,
"^[^\+]+\+\d{2}:\d{2}\s[^\s]+\s([^\s]+)\s"
)
,
0
)
|
filter
log_type
in
(
"https_request"
,
"https_access"
,
"http_request"
,
"https_access"
)
|
alter
EPMM_Version
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=([^,]+)"
)
,
0
)
,
HTTP_Request_src_ip
=
if
(
log_type
in
(
"https_request"
,
"http_request"
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),[^\s]+\s([^\s]+)"
)
,
0
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),([^:]+)"
)
,
0
)
)
,
HTTP_Method
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(GET|POST|PUT)"
)
,
0
)
,
HTTP_Request_URI
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+([^\"]+)"
)
,
0
)
,
HTTP_response_Code
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^\"]+)\"\s+([1-5]\d\d)"
)
,
0
)
,
Attempted_command_execution
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"
)
,
0
)
|
filter
HTTP_Request_URI
~
=
"\/mifs\/c\/(?:app|aft)store\/fob"
AND
HTTP_Request_URI
~
=
"\=gPath"
|
fields
_time
,
log_type
,
EPMM_Version
,
HTTP_Request_src_ip
,
HTTP_Method
,
HTTP_Request_URI
,
HTTP_response_Code
,
Attempted_command_execution
|
sort
asc
_time
// Description: This query identifies HTTP(S) requests logged by NGFW that match Ivanti EPMM exploitation URI parameters.
Cortex Xpanse
Cortex Xpanse
has the ability to identify exposed Ivanti EPMM devices on the public internet and escalate these findings to defenders.
Customers can enable alerting on this risk by ensuring that they’ve enabled the Ivanti Endpoint Manager Mobile (MobileIron Core) Attack Surface Rule.
On Feb. 6, two government agencies in the Netherlands — the Dutch Data Protection Authority (AP), and the Council for the Judiciary (Rvdr) — also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit.
UPDATE
A handful of European government agencies have been compromised by hackers in recent weeks, thanks to a new round of critical vulnerabilities in an Ivanti product — and it's another grim reminder of the heyday attackers have been having with edge devices.
Related:
Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense
Following what appeared like a coordinated campaign against European governments, Shadowserver tracked another more voluminous
wave of attempted attacks
against Ivanti EPMM, concentrated around Feb. 9.
"
This story was updated at 8:30 a.m. ET on Feb. 13 to reflect a statement from Ivanti, the names of two Dutch government agencies, and confirmation that Ivanti EPMM was the target in the attacks against the European Commission.
Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again.
On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, and released a
temporary patch
to cover them.
Related:
Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto
Perhaps the public warning lit a fire under the threat actors who'd discovered CVE-2026-1281 and CVE-2026-1340 before Ivanti did.
Ivanti Bugs Spark Fresh Wave of Cyberattacks
On Jan. 20, the European Commission unveiled a
revised Cybersecurity Act
.
Consider, for instance, a perfectly legitimate company like Ivanti.
Over
and
over again
,
foreign attackers
find and
exploit
critical zero-day vulnerabilities in
Ivanti products
.
Researchers at Greynoise found that none of the indicators of compromise (IoCs) published by Ivanti itself actually aligned with this spike in exploitation, tracing 83% of it to a
single IP address from a bulletproof hosting service
instead.
Greynoise informed Dark Reading that as of the time of publication, Feb. 12, that IP address was "still active in general.”
What to Do About Ivanti Cyber Risk
In practice, organizations appear to be either unable or unwilling to do all that, as evidenced by how often even capable, well-resourced, and
highly sensitive organizations fall victim to Ivanti attackers
.
Which raises the question: If your parachute reliably failed once every few months or so, you probably wouldn't go skydiving with it, so why do high-level organizations continue to rely on Ivanti?
Part of the reason, says Benjamin Harris, CEO of watchTowr, is that "Ripping out tech like Ivanti isn't as easy as it sounds.
"
An Ivanti spokesperson provided the following statement to Dark Reading:
"Ivanti's recommendation remains the same: customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching.
Ivanti has provided customers with high fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC NL, and continues to support customers as we respond to this threat.
Metrics
infrastructure
9.8
Software Version
Details of CVE-2026-1281
CVE-2026-1281 (CVSS 9.8) is a critical remote code execution (RCE) vulnerability in Ivanti EPMM.
Metrics
infrastructure
Android
Affected Product
Details of CVE-2026-1340
CVE-2026-1340 (CVSS 9.8) impacts the Ivanti Android File Transfer mechanism.
Metrics
data_breach
0
Dataset ^(?:[^P]*P)+Roduct=(?:[^,]+),([^:]+
|
dataset
=
<
ENTER_DATASET_NAME_FOR_IVANTI_EPMM
>
|
fields
_time
,
_raw_log
,
_reporting_device_ip
,
_broker_hostname
|
alter
log_type
=
arrayindex
(
regextract
(
_raw_log
,
"^[^\+]+\+\d{2}:\d{2}\s[^\s]+\s([^\s]+)\s"
)
,
0
)
|
filter
log_type
in
(
"https_request"
,
"https_access"
,
"http_request"
,
"https_access"
)
|
alter
EPMM_Version
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=([^,]+)"
)
,
0
)
,
HTTP_Request_src_ip
=
if
(
log_type
in
(
"https_request"
,
"http_request"
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),[^\s]+\s([^\s]+)"
)
,
0
)
,
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^,]+),([^:]+)"
)
,
0
)
)
,
HTTP_Method
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(GET|POST|PUT)"
)
,
0
)
,
HTTP_Request_URI
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+([^\"]+)"
)
,
0
)
,
HTTP_response_Code
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^\"]+)\"\s+([1-5]\d\d)"
)
,
0
)
,
Attempted_command_execution
=
arrayindex
(
regextract
(
_raw_log
,
"^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"
)
,
0
)
|
filter
HTTP_Request_URI
~
=
"\/mifs\/c\/(?:app|aft)store\/fob"
AND
HTTP_Request_URI
~
=
"\=gPath"
|
fields
_time
,
log_type
,
EPMM_Version
,
HTTP_Request_src_ip
,
HTTP_Method
,
HTTP_Request_URI
,
HTTP_response_Code
,
Attempted_command_execution
|
sort
asc
_time
// Description: This query identifies HTTP(S) requests logged by NGFW that match Ivanti EPMM exploitation URI parameters.
Metrics
infrastructure
30
//Description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//Description:
Metrics
infrastructure
31
//Description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//Description:
Metrics
infrastructure
32
//Description
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//Description:
Metrics
victims
40,000
Client Base
They are deeply embedded across their 40,000 enterprise client base, providing remote access, mobile device management, patching, endpoint management, and other solutions.
Intelligence Sources
Palo Alto
2026-02-17
Dark Reading
2026-02-12
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:59
Comprehensive Tactical Telemetry
Highly Correlated Entities
47x
organisation
Identified Entity
Gitee
entity
12x
timeline
Temporal Reference
January 2026
date
11x
attribution
Attributing Entity
Healthcare
Manufacturing
Professional
authority
10x
source region
Origin Country
United States
country
6x
industry
Targeted Sector
Government
sector
4x
tactic
Cyber Operation Type
Reconnaissance
tactic
4x
tactic
MITRE ATT&CK Technique
T1584.005 - Botnet
technique
3x
target region
Target Country
United Kingdom
country
3x
source region
Origin Region
MIDDLE_EAST
region
3x
vulnerability
Exploited CVE
CVE-2026-1281
cve
3x
general metric
Port
443
port
3x
infrastructure
//Description
30
//description
2x
general metric
+1
866
+1
2x
infrastructure
Affected Product
Ivanti
software
Contextual Telemetry
Context Block
16 METRICS
general metric
Incident
42
incident
general metric
+65.6983.8730
50
+65.6983.8730
vulnerability
CVSS Score
10
score
infrastructure
Software Version
9.8
version
data breach
Dataset ^(?:[^P]*P)+Roduct=(?:[^,]+),([^:]+
0
dataset ^(?:[^p]*p)+roduct=(?:[^,]+),([^:]+
general metric
Arrayindex
0
arrayindex
general metric
Epmm Instances
4,400
epmm instances
general metric
Error
404
error
general metric
Gpath['Sleep
5
gpath['sleep
general metric
Individuals
50,000
individuals
malware
Malware Payload
Spark
tool
general metric
Rce
10
rce
general metric
Scores
10
scores
target region
Target Region
EUROPE
region
general metric
%
83
%
victims
Client Base
40,000
client base
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.