Recent threat intelligence highlights two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities — CVE-2026-21962 and CVE-2026-24061 — that have attracted significant scrutiny. Although both flaws are being exploited in the wild, the noteworthy point is that a single threat actor, or a closely coordinated group, appears responsible for an estimated 83% of recent remote code execution attempts linked to these vulnerabilities.
Both vulnerabilities are rated as high severity, giving an attacker the ability not only to take control of compromised devices but also to move laterally within a network. It’s not simply the presence of the flaws themselves that distinguishes this situation, but the sustained focus of one operator. Defenders should look for overlapping indicators of compromise, including repeated IP addresses or familiar behavioural patterns, as these may track back to the same source. Swift action is crucial: delaying remediation significantly increases the window of risk, so patching must be prioritised alongside a focused investigation for signs of exploitation.
Ivanti solutions sit at the heart of mobile device management across a range of organisations, making these systems a particularly valuable target. A single breach can expose not just individual endpoints but potentially wider infrastructure as well. This high value target explains both the intensity of recent attacks and the urgent tone in security advisories. Past experience indicates that updating mobile fleet management platforms can lag behind other patching routines. If your EPMM deployment is not current, this gap should be closed as a matter of urgency.
For security teams, immediate patching of CVE-2026-21962 and CVE-2026-24061 is essential. In tandem, review logs and monitor endpoints for any anomalous activity — including potential signs of historic compromise. Post-remediation vigilance is also needed by sharing any incident indicators with sector partners, as the rise of determined lone threat actors is set to continue.
Based on reporting by Bleeping Computer: https://www.bleepingcomputer.com/news/security/one-threat-actor-responsible-for-83-percent-of-recent-ivanti-rce-attacks/
