← All articles

consultant

CSSF — Ivanti EPMM: RCE exploited, mandatory DORA notification

On 10 February 2026, the CSSF warned of two actively exploited Ivanti EPMM RCEs (CVE‑2026‑1281/1340) and reminded firms that this constitutes a major ICT incident to notify (Circulars 25/893 and 24/847).

Excerpt — On 10 February 2026, the CSSF warned about two exploited Ivanti EPMM flaws (CVE‑2026‑1281/1340) and reminded that such unauthorised access is a major ICT incident to be notified (CSSF Circulars 25/893 and 24/847). Below is the concrete MDM setup that prevents escalation — and evidences compliance.

The facts

On 10 February 2026, the CSSF released a statement on the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM)CVE‑2026‑1281 and CVE‑2026‑1340. These flaws enable unauthenticated remote code execution on the EPMM server, potentially leading to takeover of managed devices, lateral movement, and access to sensitive data. The CSSF stressed that this type of “malicious unauthorised access” constitutes a major ICT-related incident that must be notified under CSSF Circular 25/893 (DORA) or CSSF 24/847, depending on the entity (CSSF).

The security community has documented compromises and industrial-scale exploitation of these zero-days; a single actor is believed to account for a large share of recent attacks, while Ivanti released temporary fixes and then hardened updates (BleepingComputer). CIRCL Luxembourg has issued a practical report (referenced by the CSSF) listing immediate risk reduction and incident response actions (CSSF → link to CIRCL TR‑98).

The applicable legal framework

  • DORAMajor ICT incident reporting: CSSF Circular 25/893 implements notification obligations for major incidents and significant cyber threats for DORA entities; in parallel, CSSF Circular 24/847 governs major ICT-related incident notification for other supervised entities. The CSSF explicitly recalls that unauthenticated RCE on EPMM “constitutes a major ICT-related incident that needs to be notified” (CSSF — 24/847; CSSF statement 10/02/2026).
  • NIS 2 (Art. 21) — Cyber risk management measures: asset inventory and protection, access control, patch policies, and event monitoring. Managed mobile endpoints (BYOD/COPE) are explicitly within scope of technical and organisational measures.
  • GDPR (Art. 32) — Security of processing: encryption, confidentiality, integrity, resilience, and capability to restore availability of data. A properly configured MDM (encryption, remote wipe, segregation) is an “appropriate” measure for personal data on devices. See also our view on operational resilience and notification duties.

The technical solution to deploy

Objective: make the MDM/EMM server non-viable as an entry point, prevent escalation if compromised, and provide evidence of compliance (DORA/NIS 2/GDPR) without theory.

  • Hardened and segmented MDM/EMM
    • Network isolation of the EPMM server (dedicated DMZ, reverse proxy, “deny by default” rules, restricted egress), timestamped logs streamed in real time to the SIEM.
    • Phishing-resistant MFA for all admin access (FIDO2/WebAuthn) and least-privilege service accounts.
    • Declarative configuration management (IaC/Ansible) + minimal footprint of modules/plugins; out-of-band security updates and SLA-backed patch management.
  • MDM policies on endpoints
    • Enforced disk encryption with TPM/SE-protected keys, strong screen lock, work containers separating personal/business data.
    • Compliance policies + conditional access: apps and data access only if OS is up to date, device uncompromised, AV/EDR active.
    • Approved app catalogue (allow-listing), no sideloading, selective wipe on offboarding.
  • Detection and response
    • Ingest EPMM logs (auth, policy, API, errors) and mobile telemetry into the SIEM; correlation rules for EPMM RCE and CIRCL IOCs.
    • SOAR playbooks: server isolation, IP blocking, token revocation, device attestation reset, remote wipe if the container is compromised.

Frameworks: ISO/IEC 27001:2022A.5.9 Inventory of information and other assets, A.8.1 User endpoint devices, A.8.16 Monitoring activities; NIST CSF 2.0 — PR.AA (Identity/Access), PR.PS (Platform Security), DE.CM (Continuous Monitoring); CIS Controls v8 — C1 (Asset Inventory), C4 (Secure Configuration), C6 (Access Management), C15 (Service Providers).

How Luxgap delivers this

  • Our 24/7 Managed SOC connects EPMM and mobile telemetry to the SIEM, implements EPMM RCE use cases (TTPs, CIRCL IOCs), and orchestrates responses (isolation, revocation, selective wipe) within minutes.
  • Our ISO 27001 governance formalises BYOD/COPE policy, the mobile asset register, out-of-band EMM patching procedures, and auditable evidence: signed logs, configuration reviews, privileged accounts.
  • Our DPO consultants and fractional CISOs align GDPR Art. 32 (risk analyses, wiping policies, encryption), NIS 2 Art. 21, and DORA reporting in Luxembourg (classification, timelines, content), including EMM incident table-tops.

Real-world case in Luxembourg or the EU

A financial professional subject to DORA and NIS 2, using on‑prem EPMM, faced exploitation attempts in February 2026. In 6 weeks, we:

  • placed EPMM behind a shared proxy, enforced FIDO2 MFA for admins, and redesigned roles (minimalist RBAC);
  • rolled out MDM policies encrypting 100% of active devices, with compliance control blocking access when OS is outdated;
  • ingested EPMM and endpoint logs into the SIEM, created RCE correlations + malicious IP watchlists;
  • wrote and tested the DORA playbook: “major” classification, structured notification (context, impact, measures), corrective follow‑up. Outcome: no exfiltration observed, timely CSSF notification as required.

First practical steps

  1. Check EPMM exposure: block any direct Internet access to the admin server; require a proxy/IdP and FIDO2 MFA.
  2. Apply Ivanti patches and harden: upgrade to fixed versions, remove unused modules, segment flows, stream logs to a SIEM.
  3. Enable minimal MDM policies: encryption, strong lock, work container, selective wipe, no sideloading.
  4. Wire logs from EPMM and mobiles to the SOC/SIEM; import CIRCL-recommended IOCs and alert rules.
  5. Prepare the notification (DORA/24‑847): classification template, contacts, timeline, and a 30‑minute dry‑run with business/IT teams.

Official sources

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →