Threat actors are exploiting critical RCE vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti EPMM to deploy AntSword-based webshells. The automated attacks achieve root privilege escalation and rapidly exfiltrate sensitive databases and configuration files containing credentials.