Exploitation of Ivanti Endpoint Manager Mobile (EPMM) has been relentless since vulnerability disclosure. That’s not necessarily news. Major institutions - governments included - have already been compromised through this vector, and we’re tracking another exploitation wave as it develops.
On February 4th, 2026, a coordinated campaign started across our telemetry with a differing pattern to previous mass exploitation. Rather than the smash-and-grab post-exploitation you’d expect - dropping traditional webshells, running recon and enumeration commands - this operator did something more deliberate, uploading a payload, confirming it landed, and leaving.
No commands were executed, the implant was simply left in place.
Key Takeaway: This campaign deployed a dormant in-memory Java class loader to /mifs/403.jsp - a somewhat lesser common webshell path. The implant can only be activated with a specific trigger parameter, and no follow-on exploitation has yet been observed. This is suggstive of initial access broker (IAB) tradecraft: gain a foothold, then sell or hand off access later.
# The Vulnerabilities
Ivanti disclosed two critical vulnerabilities in EPMM - CVE-2026-1281 and CVE-2026-1340 - both covering authentication bypass and remote code execution, affecting different packages (aftstore and appstore respectively). The practical outcome is the same: unauthenticated access to application-level endpoints. Ivanti published patching guidance via their security advisory, and exploitation in the wild followed shortly after.
Most of the early activity was predictable - opportunistic scanning, mass exploitation, and commodity webshell drops.
# The 403.jsp Campaign
Every exploit from this campaign dropped a webshell to the path:
/mifs/403.jsp
... continue reading