Threat actors weaponized two Ivanti zero-days so quickly that security teams discovered web shells already installed on servers—using arithmetic expansion in bash scripts to slip past authentication entirely.

Researchers at Palo Alto Network's Unit 42 documented widespread exploitation of two Ivanti EPMM vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, which revealed attackers moving from initial reconnaissance to deploying persistent backdoors designed to survive patching cycles.

The critical vulnerabilities affecting Ivanti Endpoint Manager Mobile allow unauthenticated remote code execution through a deceptively simple bash arithmetic expansion trick that transforms mobile ...