We have started to report webshells (or other exploitation artifacts) found on Ivanti EPMM devices, likely compromised via CVE-2026-1281. 56 IPs found on 2026-02-06

Data in https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Tree Map view: https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=compromised_website&source=compromised_website6&tag=ivanti-epmm-compromised%2B&data_set=count&scale=log&auto_update=on

Thank you to the KSA NCA for the heads up!

If you receive an alert from us, please review the security advisory and guidance from Ivanti at https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 including the Exploitation Detection RPM Package co-developed by Ivanti & @NCSC_NL@social.overheid.nl