Alerts

CISA Adds Actively Exploited Ivanti EPMM Vulnerability to KEV Catalog (CVE-2026-1281)

Zero Day Wire

1 min read
CISA Adds Actively Exploited Ivanti EPMM Vulnerability to KEV Catalog (CVE-2026-1281)

CISA has added a critical Ivanti Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

Tracked as CVE-2026-1281, the code injection vulnerability allows attackers to achieve unauthenticated remote code execution on affected systems.

Urgent Deadline

Federal agencies are required to apply mitigations by February 1, 2026—just three days from the January 29 catalog addition. Organizations outside the federal government should treat this timeline with equal urgency.

Vulnerability Details

Why This Matters

Ivanti products have been repeatedly targeted by threat actors, including nation-state groups. EPMM (formerly MobileIron Core) is widely deployed for enterprise mobile device management, making it a high-value target for attackers seeking initial access to corporate networks.

Recommended Actions

  1. Identify all Ivanti EPMM instances in your environment
  2. Check for signs of compromise on internet-accessible Ivanti products
  3. Apply vendor mitigations immediately
  4. If mitigations are unavailable, consider discontinuing use until patched

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire