Recent security incidents affecting European government agencies demonstrate the ongoing risks associated with edge management devices. On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, identified as CVE-2026-1281 and CVE-2026-1340. Both vulnerabilities allow for remote code execution (RCE) and carry a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.
Following the disclosure, Ivanti noted that a limited number of customers had experienced unauthorized access. The Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog.
Timeline of Observed Activity
Security researchers observed a correlation between the public disclosure and a rise in targeted activity. Shortly after the vulnerabilities were announced, security incidents involving EPMM were reported by the European Union's European Commission, as well as agencies within the Dutch and Finnish governments.
On Jan. 30, the European Commission identified a security incident affecting its "central infrastructure managing mobile devices." While the incident did not result in direct compromise of mobile devices, it exposed staff names and contact numbers. On the same day, Valtori, the service provider for the Finnish government, reported a similar unauthorized access event affecting approximately 50,000 individuals. Although neither organization initially named the specific product, Valtori confirmed the entry point was a vulnerability in a commercial mobile device management service disclosed on Jan. 29. Dutch government agencies later confirmed Ivanti EPMM was the vector for similar incidents.
Technical Analysis and Threat Intelligence
Research teams have provided significant insight into the mechanics of these vulnerabilities. Security researchers at watchTowr published a proof-of-concept demonstrating how CVE-2026-1281 leverages Bash arithmetic expansion within the software's file delivery mechanism. This flaw allows an unauthenticated user to execute arbitrary commands on the server.
Data from Greynoise indicates that while multiple sources began scanning for these vulnerabilities following disclosure, the majority of the activity, approximately 83%—originated from a single IP address hosted on infrastructure often associated with high-risk hosting services.
Notably, Greynoise observed that 85% of the payloads associated with this activity utilized out-of-band application security testing (OAST) techniques. This suggests that the threat actors were primarily verifying the vulnerability of target systems rather than immediately deploying malicious code. This aligns with findings from Defused Cyber, which reported the presence of dormant "sleeper shells" on compromised systems, potentially placed for future access.
Strengthening Perimeter Defense
The recurrence of vulnerabilities in edge devices, including recent issues affecting Fortinet, SonicWall, and WatchGuard products—reinforces the need for a defense-in-depth approach. relying solely on patching is often insufficient for high-value perimeter targets.
Douglas McKee, director of vulnerability intelligence at Rapid7, advises organizations to evolve their strategy. "One shift organizations should consider is moving beyond 'patch and pray' to designing perimeter infrastructure with the assumption of eventual compromise as a proactive security measure," McKee states.
Effective mitigation involves reducing the accessible surface area. McKee recommends "minimizing exposure by eliminating unnecessary public interfaces, enforcing pre-authentication access controls, and aggressively restricting management-plane reachability rather than simply hardening what is already exposed."
Furthermore, he suggests treating management systems as critical assets requiring enhanced visibility. By implementing deep telemetry, behavioral monitoring, and strict egress controls, security teams can detect unauthorized activity quickly, preventing lateral movement into the internal network.
While replacing deeply embedded infrastructure like Ivanti EPMM can be operationally complex, as noted by watchTowr CEO Benjamin Harris, the focus must remain on architectural resilience. Organizations should ensure that even if a perimeter device is compromised, the potential impact is contained through rigorous segmentation and monitoring.