IVANTI disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution on 29 January, both enabling remote code execution and scoring 9.8 on the CVSS scale as CVE-2026-1281 and CVE-2026-1340. In a security advisory, the company admitted a very limited number of customers had been exploited at disclosure, and, according to CISA, CVE-2026-1281 was added to the Known Exploited Vulnerabilities list.
The following day, cyberattacks tied to EPMM struck the European Commission and agencies in the Netherlands and Finland. Attacks against edge devices have been ramping up for nearly three years, with Fortinet, SonicWall and WatchGuard also contending with zero-days. On 30 January, the European Commission and Valtori, Finland’s public managed services provider for the government, experienced breaches affecting thousands of individuals; in Valtori’s case, around 50,000 people had data exposed.
A PoC exploit was described by watchTowr, and Greynoise data later pointed to a single IP address from a bulletproof hosting service as driving much of the February exploitation, with that IP still active as of 12 February.