• One threat actor responsible for 83% of recent Ivanti RCE attacks February 14, 2026 11:02 AM 0 Update: The article initially listed the wrong CVEs. • This has now been corrected to list the CVEs: CVE-2026-1286 and CVE-2026-1340 Threat intelligence observations show that a single threat actor is responsible for most of the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340. • The security issues have been flagged as activelyexploited in zero-day attacksin Ivanti’s security advisory, where the company also announced hotfixes. • Both flaws received a critical severity rating and allow an attacker to inject code without authentication, leading to remote code execution (RCE) on vulnerable systems. • A single IP address hosted on bulletproof infrastructure is responsible for over 83% of exploitation activity related to the two vulnerabilities, says threat-focused internet intelligence company GreyNoise. • Between February 1st and 9th, the monitoring platform observed 417 exploitation sessions originating from 8 unique source IP addresses, and centered on CVE-2026-1281 and CVE-2026-1340.
Article Summaries:
- Update: The article initially listed the wrong CVEs. This has now been corrected to list the CVEs: CVE-2026-1286 and CVE-2026-1340 Threat intelligence observations show that a single threat actor is responsible for most of the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340. The security issues have been flagged as actively exploited in zero-day attacks in Ivanti’s security advisory, where the company also announced hotfixes. Both flaws received a critical severity rating and allow an attacker to inject co
Sources: