Ivanti EPMM zero-day CVE-2026-1281

Ivanti EPMM zero-day CVE-2026-1281 is being actively exploited and currently affects especially exposed mobile device management environments. Authorities in Europe are reporting incidents in which employees’ business contact details may have been compromised, significantly increasing the risk of targeted phishing and social engineering attacks.

What has been officially confirmed about the Ivanti EPMM zero-day CVE-2026-1281

The vulnerability CVE-2026-1281 affects Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. According to the National Vulnerability Database entry, it is a code injection issue that enables unauthenticated remote code execution. The same record also indicates that CVE-2026-1281 is listed in the Known Exploited Vulnerabilities context, meaning “in the wild” exploitation has been officially documented.

For risk assessment, the operational context is critical. With internet-exposed “edge” systems, experience shows that not only immediate exploitation matters, but also subsequent persistence and data exfiltration. This is exactly why CERTs and authorities regularly emphasize in their advisories that patching alone is often not sufficient if compromise may have occurred before updates were applied.

European incidents involving compromised contact data

In Europe, at least two government-related incidents have currently been publicly confirmed in which employees’ contact details may have been affected. It is important to distinguish between the confirmed facts (which systems and what data categories) and the open question of whether, in every individual case, the same product instance or the exact same CVE was the cause. For robust secondary reporting, only the official communications should be used as the factual baseline.

European Commission reports attack on central mobile infrastructure

In an official statement, the European Commission explained that on 30 January 2026, traces of a cyberattack were detected on its central infrastructure for managing mobile devices. The statement notes that this may have enabled access to the names and mobile phone numbers of some employees. At the same time, the Commission emphasized that no compromise of mobile devices was identified and that the incident was contained and remediated within nine hours.

The Netherlands confirms exploitation of an Ivanti EPMM vulnerability at the data protection authority

In the Netherlands, there is an explicit attribution. On 6 February 2026, the government informed Parliament about the exploitation of a vulnerability in Ivanti Endpoint Manager Mobile at the Autoriteit Persoonsgegevens and at the Raad voor de rechtspraak. Based on what is currently known, work-related data of employees of the data protection authority were accessed, including name, work email address, and telephone number. The official entry point for the parliamentary notification is available via the government at the Kamerbrief dated 06/02/2026.

This clearly describes the data exposure in this case as contact details. This data category is particularly relevant for follow-on attacks because it can be easily linked with publicly available information and is well suited for personalized deception attempts.

Why technical exploitation often involves more than contact details

Even though public statements often initially focus on contact details, national CERTs warn of potentially broader consequences. The Dutch NCSC reports that in observed exploitation of CVE-2026-1281, the database of an Ivanti EPMM system was, among other things, copied and exfiltrated. Depending on configuration, such a database can contain information about managed devices, for example phone numbers, device identifiers, and other metadata. In addition, the NCSC points out that such data sets may also include identity and cloud artifacts such as directory data or tokens that could be abused for lateral movement.

An additional escalation factor is the availability of public proof-of-concept implementations. Once PoC code is widely available, the likelihood of automated scanning and opportunistic exploitation increases significantly, especially for internet-exposed appliances.

Ivanti EPMM zero-day CVE-2026-1281: What organizations should do now

For affected or potentially affected organizations, this creates immediate priorities that go beyond a classic “patch and move on” approach.

• Patching as an immediate measure remains essential, but it is only one part of the response if exploitation may already have occurred.
• An “assume breach” approach is advisable if EPMM was exposed or indicators suggest exploitation. This includes structured compromise assessment with a reliable log basis.
• Credential hygiene is a priority. Passwords, keys, and tokens managed through EPMM or stored on the system should be treated as potentially compromised and rotated in a controlled manner.
• Monitoring and incident response need to be oriented toward follow-on activity. Contact-data exposure increases the risk of spearphishing against admins, service owners, and executives.

The NCSC provides an up-to-date, official operational perspective with situational awareness and updates in its warning, which also describes the “assume breach” logic and observations related to exploitation. The official notice is available at the NCSC warning on Ivanti EPMM.

Ivanti EPMM zero-day CVE-2026-1281: Implications for data protection and risk management

The confirmed incidents show two things. First, mobile device management systems are attractive targets because they sit between endpoints, identities, and enterprise applications. Second, the leakage of just a few data fields can create significant downstream risk, for example through highly targeted social engineering campaigns. For risk management, this means MDM backends should be treated as highly critical systems, with strict exposure control, centralized telemetry, hardening, and pre-planned procedures for rapid token and credential rotations.

FAQ on the Ivanti EPMM zero-day CVE-2026-1281