Ivanti EPMM zero-day

Edge Devices Under Siege: Ivanti Zero-Days, Government Breaches, and CISA's New Mandate Signal a Turning Point for Network Security

Francois

9 min read
Edge Devices Under Siege: Ivanti Zero-Days, Government Breaches, and CISA's New Mandate Signal a Turning Point for Network Security

The Week Your Network Perimeter Became the Front Page

If you're an IT leader who has been deferring that edge device refresh, this week should be your wake-up call.

On February 9, 2026, the European Commission and the Dutch government confirmed they had been breached through actively exploited zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). On the same day, a ransomware attack crippled BridgePay Network Solutions, a payment processing gateway serving local governments across Texas and Florida. And just days earlier, CISA issued Binding Operational Directive 26-02 — ordering all federal civilian agencies to inventory, patch, and remove unsupported edge devices from their networks within strict timelines.

These are not isolated incidents. They form a pattern that every CISO and IT director should internalize: the network perimeter, specifically the edge devices that define it, has become the primary battlefield in 2026's threat landscape.

Ivanti EPMM: A Familiar Target, A Familiar Story

What Happened

On January 29, Ivanti disclosed two critical code injection vulnerabilities in its Endpoint Manager Mobile product: CVE-2026-1281 and CVE-2026-1340. Both carry a CVSS score of 9.8 — the upper boundary of critical severity — and allow unauthenticated remote code execution.

Ivanti acknowledged that a "very limited number of customers" had already been compromised before disclosure. The reality proved far worse. Within 24 hours of disclosure, Rapid7 reported that honeypots recorded hundreds of inbound exploitation attempts from over 130 unique IP addresses, including payloads such as reverse shells, webshell deployments, and automated droppers. The Shadowserver Foundation observed exploitation attempts from at least 13 source IPs by February 1, with over 1,400 EPMM instances still exposed to the internet.

By February 9, the fallout was unmistakable. The Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR) confirmed breaches in which attackers accessed employee names, business email addresses, and phone numbers. The European Commission disclosed that its mobile device management infrastructure was also attacked, though it stated the incident was contained within nine hours. CISA added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog with an unusually short three-day remediation deadline for federal agencies. National cyber agencies in Canada and Singapore followed with their own alerts.

Why This Matters Beyond Ivanti

This is not the first time Ivanti EPMM has been exploited as a zero-day. The product was targeted in 2023 (CVE-2023-35078, used to breach Norwegian government ministries) and again in May 2025 (CVE-2025-4427 and CVE-2025-4428, attributed to the China-linked espionage group UNC5221). CISA's KEV catalog now contains 31 Ivanti defects since late 2021, with at least 19 exploited in the past two years alone.

The broader lesson here is not about one vendor. It concerns the systemic risks inherent in mobile device management and edge infrastructure platforms. These products sit at the intersection of identity management, mobile access, and network control — making them extraordinarily valuable targets for both nation-state actors and cybercriminals.

Industry best practice: Any internet-facing management platform should be treated as a Tier 1 critical asset, regardless of vendor. If you are running Ivanti EPMM on-premises, apply the RPM patches immediately and plan for the permanent fix in version 12.8.0.0 (expected Q1 2026). More critically, if your instance was exposed before patching, assume it has been compromised. As watchTowr's Ryan Dewhurst emphasized, organizations exposing vulnerable instances to the internet "must consider them compromised, tear down infrastructure, and instigate incident response processes."

BridgePay Ransomware: When Third-Party Risk Meets Government Services

While the Ivanti story dominated cybersecurity headlines, a ransomware attack on BridgePay Network Solutions quietly disrupted payment processing for local governments across multiple states. The Florida-based company, which processes approximately 40 million transactions monthly, warned customers on February 7 of system-wide outages before confirming it was working with the FBI and U.S. Secret Service to resolve a ransomware incident.

The City of Palm Bay, Florida, was among the first to issue public statements, warning residents that its online billing payment portal was unavailable because of the BridgePay outage. BridgePay has stated it does not believe payment card data was stolen, but its systems remain down with no estimated restoration timeline as of this writing.

This incident reinforces a lesson that too many organizations learn the hard way: your security posture is only as strong as your most vulnerable third-party provider. Government agencies increasingly rely on external payment processors, SaaS platforms, and managed service providers — each of which represents a potential single point of failure and a lateral entry point into sensitive systems.

Recommendation: Conduct a tabletop exercise specifically focused on a critical third-party vendor going offline due to ransomware. Most organizations have disaster recovery plans for their own infrastructure, but have never modeled a scenario in which their payment processor, cloud provider, or managed security provider disappears for weeks.

CISA BOD 26-02: The Regulatory Response Takes Shape

What the Directive Requires

On February 5, CISA issued Binding Operational Directive 26-02, titled "Mitigating Risk From End-of-Support Edge Devices." While this directive is legally binding only for Federal Civilian Executive Branch agencies, it establishes a framework that private sector organizations would be wise to adopt. The directive sets clear timelines:

  1. Immediately: Update each vendor-supported edge device running end-of-support software to a supported version.
  2. Within 3 months: Inventory all edge devices and identify those that are end-of-support; report findings to CISA.
  3. Within 12 months: Remove all end-of-support edge devices from the CISA-identified priority list and replace them with supported alternatives.
  4. Within 18 months: Remove all remaining end-of-support edge devices from agency networks.
  5. Within 24 months: Establish a mature lifecycle management process for continuous discovery and inventory of edge devices approaching end-of-support.

CISA defines "edge devices" broadly to include load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, software-defined networks, and other networking components that route traffic and provide privileged access.

Why Private Sector Leaders Should Care

CISA Acting Director Madhu Gottumukkala stated plainly: "Unsupported devices pose a serious risk to federal systems and should never remain on enterprise networks." CISA Executive Assistant Director for Cybersecurity Nick Andersen added that CISA is "encouraging other organizations to follow our lead."

For organizations operating in regulated industries — healthcare under HIPAA, financial services under SOX, or any entity preparing for CIRCIA reporting requirements [VERIFY: current CIRCIA final rule status expected May 2026] — this directive provides a roadmap. BOD 26-02 aligns with OMB Circular A-130 and represents the clearest articulation yet of the federal government's position that end-of-support devices are an unacceptable risk.

Personal recommendation: Even if your organization is not a federal agency, use BOD 26-02's timeline as a planning template. The phased approach — immediate patching, 90-day inventory, 12-month replacement — is a pragmatic framework that any IT leadership team can adapt to their own environment and budget cycle.

The Convergence: Why Edge Devices Are 2026's Ground Zero

These three stories — Ivanti zero-days, BridgePay ransomware, and CISA's new directive — converge on a single theme: edge infrastructure is being targeted with increasing sophistication and frequency, and organizations that fail to proactively manage these assets will pay the price.

Earlier this month, Palo Alto Networks Unit 42 published findings on a previously undocumented Asia-based cyber espionage group (tracked as TGR-STA-1030) that compromised at least 70 government and critical infrastructure organizations across 37 countries over the past year. The group conducted active reconnaissance against government infrastructure in 155 countries between November and December 2025. Targets included law enforcement agencies, finance ministries, and agencies responsible for economic, trade, and diplomatic functions.

The Check Point Cyber Security Report 2026 further confirmed the trend, finding that attacks have evolved beyond isolated techniques into coordinated campaigns combining AI, identity abuse, ransomware, edge infrastructure exploitation, and social engineering. Their data showed that 90% of organizations encountered risky AI prompts within a three-month monitoring period — a signal that internal AI adoption is outpacing security controls.

An Actionable Framework: The RAPID Edge Security Model

Based on the events of this week and the broader 2026 threat landscape, here is a five-step framework for IT leaders to assess and remediate their edge device exposure:

R — Reconnaissance of your own perimeter. Use external attack surface management tools to identify every internet-facing device and service. If you don't know what's exposed, you cannot defend it. Tools in this space include those from Rapid7, Tenable, and Censys, among others.

A — Audit lifecycle status. Map every edge device against its vendor's end-of-support timeline. Create a living inventory that flags devices within 12 months of end-of-support. This is exactly what CISA is requiring of federal agencies.

P — Patch with urgency, not just cadence. When CISA assigns a three-day remediation window for a KEV entry — as it did for CVE-2026-1281 — that signal should override your normal 30-day patch cycle. Establish an emergency patching protocol for critical edge device vulnerabilities.

I — Isolate and segment. Apply Zero Trust principles to edge infrastructure. Management interfaces for MDM platforms, firewalls, and VPN concentrators should never be directly accessible from the public internet. Network segmentation and conditional access policies are essential.

D — Decommission decisively. End-of-support does not mean "monitor and hope." It means remove. Budget for replacements, plan for transitions, and execute. As CISA stated: "Unsupported devices should never remain on enterprise networks."

Common Mistakes to Avoid

  • Treating vendor advisories at face value. Ivanti said "very limited" customers were compromised. Within days, exploitation was widespread across 130+ IPs with automated attack tooling. Always assume the worst-case scenario and act accordingly.
  • Patching without investigating. For zero-day vulnerabilities, applying the patch is necessary but insufficient. If your system was exposed before the patch, you must conduct a forensic analysis. Threat actors may already have established persistence via web or reverse shells.
  • Ignoring third-party edge exposure. Your organization's edge devices include not only your own firewalls and routers, but also the platforms your vendors use to process your data. BridgePay's ransomware attack is a textbook example of cascading third-party risk.
  • Delaying lifecycle planning. The most expensive edge device replacement is the one you do during an active incident. Proactive lifecycle management is always cheaper than reactive breach response.

What Comes Next

The convergence of nation-state exploitation of edge devices, supply-chain ransomware, and regulatory mandates like BOD 26-02 signals that 2026 will be defined by how organizations manage their network perimeters. The threat actors are coordinated. The attack surface is expanding. And regulators are losing patience with organizations that treat basic hygiene as optional.

For IT leaders, the question is no longer whether to invest in edge device security — it's whether you can afford not to.

Sources

  1. The Record from Recorded Future News — "EU, Dutch government announce hacks following Ivanti zero-days" (February 9, 2026). https://therecord.media/eu-dutch-government-announce-hacks-ivanti-zero-days
  2. The Register — "Dutch data watchdog caught up in Ivanti zero-day attacks" (February 9, 2026). https://www.theregister.com/2026/02/09/dutch_data_protection_ivanti/
  3. Help Net Security — "European Commission hit by cyberattackers targeting mobile management platform" (February 9, 2026). https://www.helpnetsecurity.com/2026/02/09/european-commission-ivanti-epmm-vulnerabilities/
  4. The Record from Recorded Future News — "Payment tech provider for Texas, Florida governments working with FBI to resolve ransomware attack" (February 9, 2026). https://therecord.media/payment-tech-provider-texas-florida-govs-ransomware-attack
  5. CISA — "BOD 26-02: Mitigating Risk From End-of-Support Edge Devices" (February 5, 2026). https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices
  6. CISA Press Release — "CISA Orders Federal Agencies to Strengthen Edge Device Security Amid Rising Cyber Threats" (February 5, 2026). https://www.cisa.gov/news-events/news/cisa-orders-federal-agencies-strengthen-edge-device-security-amid-rising-cyber-threats
  7. CyberScoop — "Ivanti's EPMM is under active attack, thanks to two critical zero-days" (February 4, 2026). https://cyberscoop.com/ivanti-endpoint-manager-mobile-zero-day-vulnerabilities-exploit/
  8. Rapid7 Blog — "Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild (CVE-2026-1281 & CVE-2026-1340)" (January 30, 2026). https://www.rapid7.com/blog/post/etr-critical-ivanti-endpoint-manager-mobile-epmm-zero-day-exploited-in-the-wild-eitw-cve-2026-1281-1340/
  9. Tenable Blog — "CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited" (January 30, 2026). https://www.tenable.com/blog/cve-2026-1281-cve-2026-1340-ivanti-endpoint-manager-mobile-epmm-zero-day-vulnerabilities
  10. The Hacker News — "Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released" (February 8, 2026). https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html
  11. Cybersecurity Dive — "Critical flaws in Ivanti EPMM lead to fast-moving exploitation attempts" (February 3, 2026). https://www.cybersecuritydive.com/news/critical-flaws-ivanti-epmm-exploitation/811228/
  12. Bank Info Security — "Ivanti Zero-Days Likely Deployed in EU and Dutch Hacks" (February 9, 2026). https://www.bankinfosecurity.com/ivanti-zero-days-likely-deployed-in-eu-dutch-hacks-a-30717
  13. The Hacker News — "CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk" (February 6, 2026). https://thehackernews.com/2026/02/cisa-orders-removal-of-unsupported-edge.html
  14. Nextgov/FCW — "CISA orders agencies to patch and replace end-of-life devices, citing active exploitation" (February 5, 2026). https://www.nextgov.com/cybersecurity/2026/02/cisa-orders-agencies-patch-and-replace-end-life-devices-citing-active-exploitation/411227/
  15. Check Point Blog — "The Trends Defining Cyber Security in 2026" (January 2026). https://blog.checkpoint.com/research/the-trends-defining-cyber-security-in-2026-cyber-security-report-2026

Read more