TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources ENDPOINT SECURITY CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS PERIMETER NEWS Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again It's time to phase out the "patch and pray" approach, eliminate needless public interfaces, and enforce authentication controls, one expert says. Nate Nelson, Contributing Writer February 12, 2026 5 Min Read SOURCE: VLADYSLAV YUSHYNOV VIA ALAMY STOCK PHOTO A handful of European government agencies have been compromised by hackers in recent weeks, thanks to a new round of critical vulnerabilities in an Ivanti product — another grim reminder of the heyday attackers have been having with edge devices across the board. On Jan. 29, Ivanti disclosed two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) solution. Deemed CVE-2026-1281 and CVE-2026-1340, they were similar in nature, both allowing for remote code execution (RCE), both assigned 9.8 out of 10 scores on the Common Vulnerability Scoring System (CVSS) scale. In a security advisory, the company admitted to "a very limited number of customers whose solution has been exploited at the time of disclosure," and the Cybersecurity and Infrastructure Security Agency (CISA) then added CVE-2026-1281 to its running list of Known Exploited Vulnerabilities (KEV). Perhaps the public warning lit a fire under the threat actors who'd discovered CVE-2026-1281 and CVE-2026-1340 before Ivanti did. The next day, cyberattacks tied to EPMM struck the European Union's European Commission, as well as agencies of the Dutch and Finnish governments. Related:Booz Allen Announces General Availability of Vellox Reverser to Automate Malware Defense LOADING... That same day, researchers at watchTowr publicly described a proof-of-concept (PoC) exploit. Ever since, more attackers have been getting in on the fun, though a large chunk of those attacks have come from one unidentified source in particular, according to data from Greynoise. But attacks against edge devices have been steadily ramping up for nearly three years, tripping up multiple vendors in the process: Fortinet has endured a number attacks against its products; SonicWall's edge devices contended with zero-days; and WatchGuard's firewall was hit more recently with a zero-day. The highly distributed nature of edge networking has historically meant less monitoring, and like any good opportunist, attackers will exploit that sort of vulnerability when they see it. Ivanti Bugs Spark Fresh Wave of Attacks LOADING... On Jan. 20, the European Commission unveiled a revised Cybersecurity Act. In part, it highlighted the risk of relying on supply chain vendors from dubious foreign countries, and proposed ways to identify and phase them out. Sensible as that might be, Europe might be better served applying equal scrutiny to trusted vendors at home, because they often allow foreign attackers the same degree of access to sensitive systems. Consider, for instance, a perfectly legitimate company like Ivanti. Over and over again, foreign attackers find and exploit critical zero-day vulnerabilities in Ivanti products. Yet those products are still widely deployed across high-level organizations, as recent days have shown. Related:Vibe-Coded 'Sicarii' Ransomware Can't Be Decrypted On Jan. 30, the European Commission fell victim to a cyberattack against its "central infrastructure managing mobile devices." The attack lasted nine hours, and staff names and mobile numbers were compromised, though no direct mobile device compromises were detected. That same day, Valtori — the public managed services provider for Finland's government — fell victim to an attack of the same exact nature. In this case, the attack affected around 50,000 individuals associated with the central government. Names, email addresses, phone numbers, and other device details were leaked. Both Valtori and the European Commission disclosed their incidents on Feb. 5. Neither publicly named EPMM as the culprit, but Valtori noted that it was breached through a vulnerability in a commercial mobile device management service, which just so happened to have been publicly disclosed on Jan. 29. Dark Reading reached out to the European Commission to confirm the conclusion to which all circumstantial evidence points. On Feb. 6, two Dutch government agencies also copped to their own breaches, and were more forthcoming in naming Ivanti EPMM as the culprit. Related:Gartner Predicts by 2028, 50% Of Organizations Will Adopt Zero-Trust Data Governance As Unverified AI-Generated Data Grows Following what appeared like a coordinated campaign against European governments, Shadowserver tracked another more voluminous wave of attempted attacks concentrated around Feb. 9. Researchers at Greynoise found that none of the indicators of compromise (IOCs) published by Ivanti itself actually aligned with this spike in exploitation, tracing 83% of it to a single IP address from a bulletproof hosting service instead. Greynoise informed Dark Reading that as of the time of publication, Feb. 12, that IP address was "still active in general.” What to Do About Ivanti In theory, at least, powerful perimeter technologies can be secured against most attackers. "One shift organizations should consider is moving beyond 'patch and pray' to designing perimeter infrastructure with the assumption of eventual compromise as a proactive security measure," Douglas McKee, director of vulnerability intelligence at Rapid7, suggests. In his view, "That starts with minimizing exposure by eliminating unnecessary public interfaces, enforcing pre-authentication access controls, and aggressively restricting management-plane reachability rather than simply hardening what is already exposed. It also means treating perimeter and management systems as high-value assets by instrumenting them with deep telemetry, behavioral monitoring, and strict egress controls. That way, exploitation is detected quickly and cannot pivot freely into the internal network." McKee urges organizations to view their perimeter management as Tier-0 critical infrastructure — as vulnerable and as sensitive as any other systems they have. "When hardened and monitored properly, centralized control remains operationally necessary; however, it must be architected with the assumption that it will be targeted," he says. In practice, organizations appear to be either unable or unwilling to do all that, as evidenced by how often even capable, well-resourced, and highly sensitive organizations fall victim to Ivanti attackers. Which raises the question: If your parachute reliably failed once every few months or so, you probably wouldn't go skydiving with it, so why do high-level organizations continue to rely on Ivanti? Part of the reason, says Benjamin Harris, CEO of watchTowr, is that "Ripping out tech like Ivanti isn't as easy as it sounds. They are deeply embedded across their 40,000 enterprise client base, providing remote access, mobile device management, patching, endpoint management, and other solutions. That kind of footprint in enterprise environments is a hard, slow process to unwind." "While this is, of course, a sorry state of affairs that we find ourselves in, the reality is: Which of their competitors has a better track record? The bar remains disappointingly low," he says, adding, sardonically, "but thank goodness they all signed a pledge." About the Author Nate Nelson, Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like ENDPOINT SECURITY Cisco VPNs, Email Services Hit in Separate Threat Campaigns by Nate Nelson, Contributing Writer DEC 19, 2025 ENDPOINT SECURITY Qakbot Resurfaces in Fresh Wave of ClickFix Attacks by Elizabeth Montalbano, Contributing Writer MAR 31, 2025 ENDPOINT SECURITY eSIM Bug in Millions of Phones Enables Spying, Takeover by Nate Nelson, Contributing Writer JUL 10, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice THREAT INTELLIGENCE EnCase Driver Weaponized as EDR Killers Persist byRob Wright FEB 5, 2026 4 MIN READ CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK TransUnion's Real Networks Deal Focuses on Robocall Blocking byJeffrey Schwartz FEB 9, 2026 2 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powere