On January 29, 2026, Ivanti shipped emergency fixes for two zero-days in Endpoint Manager Mobile, CVE-2026-1281 and CVE-2026-1340. Both rated 9.8. Both let an unauthenticated attacker run code on the server that manages an organization’s entire mobile fleet. The root cause is worth sitting with. The bugs lived in legacy bash scripts wired into Apache RewriteMap configurations, the kind of glue code that gets written once, works, and never gets looked at again. The vulnerable handlers had names like map-appstore-url and map-aft-store-url. Helper scripts nobody had thought about in years.

By the time the patch landed, attackers were already inside. Exploitation had started before disclosure, and within days the fallout reached close to a hundred organizations, including the Dutch Data Protection Authority and the Netherlands’ Council for the Judiciary. This was not Ivanti’s first EPMM emergency, or its fifth. CISA has logged 34 exploited Ivanti vulnerabilities since 2021, five of them in EPMM in the last year alone.

Then came the line that should stop you. In its own May 2026 advisory, Ivanti said the quiet part out loud.

Advanced AI models have collapsed the time to exploit from days to hours after disclosure.

Ivanti EPMM security advisory, May 2026

Notice what Ivanti is pointing at. The bugs are the same deferred, legacy, nobody-owns-it code they have always been. What moved is how fast someone can turn one into a breach.

Hold that, because it is the entire argument.