A massive wave of exploitation attempts has followed the disclosure of CVE-2026-1281, a critical pre-authentication Ivanti EPMM vulnerability, the Shadowserver Foundation has warned. Some of it is automated scanning for vulnerable systems, but according to Greynoise and Defused, a suspected initial access broker has been prepping unpatched instances with a “sleeper” webshell for follow-on exploitation by other threat actors. “On February 9, Defused Cyber reported a campaign deploying dormant in-memory Java class loaders to compromised … More
The post Ivanti EPMM exploitation: Researchers warn of “sleeper” webshells appeared first on Help Net Security.
