The Luxembourg Commission de Surveillance du Secteur Financier (CSSF) issued an alert on the active exploitation of two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, which allow unauthenticated remote code execution. It urged supervised entities that use EPMM to review relevant guidance and take appropriate mitigating actions. The CSSF highlighted that, because EPMM is a mobile endpoint management solution, compromise of an EPMM server can have severe impacts, including full control over managed devices, lateral movement, and access to sensitive data. It pointed entities to a report and recommendations published by CIRCL (Computer Incident Center Luxembourg) and reminded firms that such unauthorised malicious access constitutes a major ICT-related incident that must be notified under Circular CSSF 25/893 (DORA) or Circular CSSF 24/847, depending on the type of entity.
Luxembourg Commission de Surveillance du Secteur Financier 2026-02-10
Luxembourg Commission de Surveillance du Secteur Financier warns supervised entities of active Ivanti EPMM remote code execution exploits and reminds incident notification duties
The Luxembourg Commission de Surveillance du Secteur Financier (CSSF) issued an alert about vulnerabilities CVE-2026-1281 and CVE-2026-1340 in Ivanti Endpoint Manager Mobile (EPMM), enabling unauthenticated remote code execution. The CSSF urged entities using EPMM to follow guidance and implement mitigating actions, emphasizing severe server compromise risks. Entities were reminded to report such incidents under relevant CSSF Circulars.