Ivanti EPMM “sleeper” webshells pose hidden threat
▼ Summary
– A critical Ivanti EPMM vulnerability (CVE-2026-1281) is being widely exploited, with automated scanning and an initial access broker deploying a dormant “sleeper” webshell.
– Exploitation activity includes payloads that verify a target is vulnerable by phoning home via DNS, which is consistent with initial access operations before deploying further tooling.
– Multiple organizations, including Dutch authorities and Finland’s Valtori, have been confirmed as victims of breaches likely linked to this vulnerability.
– Security agencies and researchers have provided detection scripts and indicators of compromise, advising organizations to patch immediately and conduct forensic investigations.
– Ivanti stresses that applying the available patch, which requires no downtime, is the most effective way to prevent exploitation, regardless of how attack indicators evolve.
A significant surge in exploitation attempts is now targeting a critical vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) platform, following its public disclosure. Cybersecurity groups are tracking widespread scanning and a concerning campaign where attackers are implanting hidden backdoors on unpatched systems. These dormant webshells act as “sleeper” agents, lying in wait for activation by other threat actors to carry out further malicious activities.
Security firm Greynoise, alongside researchers at Defused Cyber, identified this campaign. They reported that compromised EPMM instances are being seeded with in-memory Java class loaders at a specific path. These implants require a precise trigger parameter to activate, making them difficult to detect during routine scans, as no immediate malicious activity follows the initial compromise. From its global network sensors, Greynoise observed exploitation sessions where payloads simply performed a DNS callback to verify the target was vulnerable. This behavior is a hallmark of initial access brokers, who specialize in proving a system can be breached before selling that access or deploying additional tools.
The activity centers on CVE-2026-1281, a severe pre-authentication code injection flaw that Ivanti disclosed in late January alongside another vulnerability, CVE-2026-1340. The company acknowledged it was aware of active exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to swiftly add it to its Known Exploited Vulnerabilities catalog. While Ivanti issued a temporary fix and subsequent security updates, researchers quickly analyzed the patches, underscoring the urgency for organizations to apply them.
Several high-profile breaches have already been linked to this vulnerability. Both the Dutch Data Protection Authority and the Council for the Judiciary had their EPMM instances compromised on or before the disclosure date. The European Commission also confirmed a hack of its mobile device management platform, and Valtori, Finland’s central government ICT center, was named as another victim. In response, Ivanti collaborated with the Dutch National Cyber Security Center to release a detection script. The Dutch NCSC has advised all organizations using Ivanti EPMM to operate under the assumption of compromise and conduct a forensic investigation.
Defused Cyber has provided detailed indicators of compromise and log patterns to assist defenders. Their guidance is clear: organizations must immediately patch their Ivanti EPMM instances, restart application servers to purge any in-memory implants, and meticulously review access logs using the shared indicators. Applying the official patch remains the most critical and effective action to prevent exploitation, as it addresses the core vulnerability regardless of how attacker tactics evolve. The company emphasizes that the patch requires minimal downtime and can be applied in seconds. Ivanti continues to support customers with technical analysis, high-fidelity compromise indicators, and the dedicated detection tool developed with Dutch authorities.
(Source: HelpNet Security)
