Active exploitation of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly Mobile Iron, has been detected. It is recommended to assume that the system has been compromised and to follow an "assume-breach" scenario. The NCSC urges organizations using this software to contact them.
The NCSC has identified multiple organizations exploiting the vulnerability identified as CVE-2026-1281. During an investigation into the exploitation of this vulnerability, it appears that, among other things, the database on the Ivanti EPMM system is being copied and exfiltrated. This method of exploitation is similar to the exploitation of previous vulnerabilities in Ivanti. It is not clear whether this involves the same actor, but it does provide insight into the steps needed to conduct a thorough investigation and set up the right monitoring when using an Ivanti EPMM system.
One of the key features observed by the NCSC is the copying and downloading of the Ivanti EPMM mifs database. This database contains information about the devices used, such as IMEI, phone number, location, and SIM details, as well as LDAP users and Office365 access tokens and credentials. It is therefore important that all confidential data stored on the Ivanti EPMM system, such as all user passwords, private keys, and access tokens, be changed. This data could be misused to gain access to other systems in the network.
The NCSC therefore strongly recommends the following if the script provided generates hits:
• Isolate the Ivanti EPMM system, but do not shut it down. Shutting down the system may erase important traces. The NCSC has observed that at least one actor erases its traces.
• Check systems directly connected to the Ivanti EPMM system for misuse. The data in the Ivanti EPMM system database can be misused to gain further access to the network. It is therefore advisable to monitor suspicious login attempts on the Office365 and cloud environment extra closely, but also to critically examine suspicious connections from elsewhere in the network.
• The NCSC considers it plausible that multiple actors are exploiting the vulnerability. Different actors may use different attack techniques. The available script does not completely rule out exploitation. It is therefore important to monitor the network and the system closely and to secure the logging of Ivanti EPMM systems on another system.
• To further remedy the compromise, in addition to changing the potentially leaked data, it is advisable to reinstall the machine. Backup configurations can also be compromised, so they may not be secure either.
• In the event of potential compromise, the NCSC strongly advises you to contact your CSIRT.
• If adjacent systems show suspicious activity, it is advisable to take immediate further action to prevent further abuse.
