Hackers have launched an unprecedented scanning operation, employing tens of thousands of IP addresses to hunt for vulnerable Ivanti Endpoint Manager Mobile (EPMM) instances. Dozens of organizations have already been compromised.
Ivanti recently disclosed two critical vulnerabilities that enable unauthenticated attackers to execute code on Endpoint Manager Mobile (EPMM) systems.
The flaws are so severe that the US cyber authority CISA ordered federal agencies to patch them immediately, giving them only three days before the deadline of February 1st, 2026.
Ivanti EPMM is widely used by organizations to manage and secure employee devices running iOS, Android, and Windows. IT administrators use it to enforce security policies, control access to corporate data, deliver applications and content, manage device lifecycles, etc.
If attackers gain access to this system, it could result in a devastating, widespread compromise of the organization, exposing managed devices and sensitive corporate data.
Threat actors have already compromised the European Commission, the Dutch Data Protection Authority (DPA), and dozens of other organizations. ShadowServer, a nonprofit security organization, has already discovered at least 60 Ivanti EPMM servers that were likely compromised by hackers exploiting the vulnerability.
Hackers have launched an unprecedented scanning campaign to identify any remaining vulnerable systems.
Global attack wave
On a single day, attackers amassed 28,323 IP addresses for a scanning campaign and hit the honeypot server over 39,000 times, according to Shadowserver data.
To put that in perspective, the second-most-scanned vulnerability had only 311 IPs and over 1,000 connections detected. This is close to the typical daily averages for the top scanned vulnerabilities.
Shadowserver reports over 1,200 exposed Ivanti EPMM instances worldwide without vulnerability assessment – it's unclear how many remain vulnerable. The organization warned about a spike in exploitation attempts on January 31st, 2026, when only 13 source IP addresses were attacking these systems.
Most of the internet-facing Ivanti EPMM instances are in Germany (397), the US (228), and the UK (53), with dozens more in Switzerland, Hong Kong, China, France, Spain, the Netherlands, Sweden, and other countries.
Most instances are likely not directly exposed to the internet, as network administrators typically deploy them behind corporate firewalls.
“The massive attempt, via a botnet or residential proxy network, maybe, is quite unprecedented,” Piotr Kijewski, CEO at The Shadowserver Foundation, told Cybernews.
While the number of compromised instances may appear small compared to the attacking IPs, Kijewski explains that it’s not necessarily a question of their ineffectiveness.
“We may simply not be able to observe the results. Observing the attacks and then detecting compromises remotely are two different processes.”
Emergency patches for Ivanti EPMM have been available since January 29th, 2026. But the public proof-of-concept exploit was released immediately after the disclosure, igniting a race between attackers and network defenders.
Ivanti has also released an exploitation detection tool that helps customers assess potential exploitation, according to the advisory. Additionally, the firm released guidance containing threat indicators and defensive measures.
“We are aware of a very limited number of customers who have been exploited at the time of disclosure,” Ivanti said.
“We urge all customers to apply the patch as soon as possible and run the exploitation detection RPM package as a tool to assist in identifying potential compromise.“
Several threat actors are exploiting the bug
The Dutch National Cyber Security Center (NCSC) said on Monday it has identified “several organizations exploiting the vulnerability” affecting Ivanti EPMM instances.
“Research into this vulnerability revealed that, among other things, the database on the Ivanti EPMM system is being copied and exfiltrated. This method of exploitation bears similarities to the exploitation of previous vulnerabilities in Ivanti,” the NCSC said.
The EPMM’s MIFS database that attackers are exfiltrating contains information about devices, such as IMEI, phone numbers, locations, and SIM details, as well as LDAP users and Office 365 access tokens and credentials.
“It is crucial to change all confidential data stored on the Ivanti EPMM system, such as user passwords, private keys, and access tokens. This data can be misused to gain access to other systems on the network,” the watchdog said, warning affected organizations.
The NCSC believes that multiple threat actors are exploiting the vulnerability, and different hackers may use different attack techniques.
The authority urges companies to isolate the Ivanti EPMM systems while keeping them running.
“Disabling the system can erase important traces. The NCSC has observed at least one actor covering their tracks.”
Ultimately, to mitigate the compromise, the NCSC recommends reinstalling the machine after modifying the potentially leaked data, and warns that backup configurations can also be compromised.
The NCSC recommends that all companies using Ivanti EPMM follow an “assume breach” scenario.
“It has now become clear that this exploitation was much more widespread than previously known. Ivanti EPMM users should assume their system was already compromised before installing the patch,” the watchdog concluded.
Updated on February 11th [07:30 a.m. GMT] with a comment from Shadowserver Foundation.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked