SECURITY researchers have observed exploitation of two patched Ivanti endpoint vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, being used to download malware including web shells, cryptocurrency miners, and a persistent backdoor. According to Palo Alto Networks, attacks began soon after disclosure, with a wide range of techniques seen across affected Ivanti platforms.
The exploits were patched by Ivanti in late January, after the vendor warned that zero-day activity targeted a very limited number of customers. Germany’s national cybersecurity agency BSI has reported evidence of exploitation since the summer of 2025 and urged organisations to check for IoCs as far back as July 2025. CISA’s KEV catalog currently lists more than 30 Ivanti flaws, and several high-profile infections have been linked to Chinese state-sponsored groups.
The campaign has also involved the Nezha open-source monitoring utility and the deployment of reverse shells and reconnaissance activity as part of the attackers’ toolkit.