83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure - The Hacker News

83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure Ravie LakshmananFeb 12, 2026Vulnerability / Network Security A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. An estimated 346 exploitation sessions have originated from 193.24.123[.]42, accounting for 83% of all attempts. The malicious activity is designed to exploit CVE-2026-1281 (CVSS scores: 9.8), one of the two critical security vulnerabilities in EPMM, along with CVE-2026-1340 that could be exploited by an attacker to achieve unauthenticated remote code execution. Late last month, Ivanti acknowledged it's aware of a "very limited number of customers" who were impacted following the zero-day exploitation of the issues. Since then, multiple European agencies, including the Netherlands' Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Finland's Valtori, have disclosed that they were targeted by unknown threat actors using the vulnerabilities. Further analysis has revealed that the same host has been simultaneously exploiting three other CVEs across unrelated software - CVE-2026-21962 (Oracle WebLogic) - 2,902 sessions CVE-2026-24061 (GNU InetUtils telnetd) - 497 sessions CVE-2025-24799 (GLPI) - 200 sessions "The IP rotates through 300+ unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants," GreyNoise said. "This fingerprint diversity, combined with concurrent exploitation of four unrelated software products, is consistent with automated tooling." It's worth noting that PROSPERO is assessed to be linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish. GreyNoise also pointed out that 85% of the exploitation sessions beaconed home via the domain name system (DNS) to confirm "this target is exploitable" without deploying any malware or exfiltrating data. The disclosure comes days after Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances at the path "/mifs/403.jsp." The cybersecurity company said the activity is indicative of initial access broker tradecraft, where threat actors establish a foothold to sell or hand off access later for financial gain. "That pattern is significant," it noted. "OAST [out-of-band application security testing] callbacks indicate the campaign is cataloging which targets are vulnerable rather than deploying payloads immediately. This is consistent with initial access operations that verify exploitability first and deploy follow-on tooling later." Ivanti EPMM users are recommended to apply the patches, audit internet-facing Mobile Device Management (MDM) infrastructure, review DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level. "EPMM compromise provides access to device management infrastructure for entire organizations, creating a lateral movement platform that bypasses traditional network segmentation," GreyNoise said. "Organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities face exploitation within hours of disclosure." Update Following the publication of the story, an Ivanti spokesperson shared the below statement with The Hacker News - Ivanti's recommendation remains the same: customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching. Applying the patch is the most effective way to prevent exploitation, regardless of how IoCs change over time, especially once a POC is available. The patch requires no downtime and takes only seconds to apply. Ivanti has provided customers with high-fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC-NL, and continues to support customers as we respond to this threat. The GreyNoise research team told The Hacker News via email that CVE-2026-1281 and CVE-2026-1340 were disclosed by Ivanti as related code injection vulnerabilities in different EPMM components, and that it's tracking both the CVEs under a single deletion tag (CVE-2026-1281). "Given the relationship between the two, organizations should treat both CVEs as equally urgent," it added. (The story was updated after publication to include responses from Ivanti and GreyNoise.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, mobile device management, network security, remote code execution, Threat Intelligence, Vulnerability, zero-day Trending News Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Load More ▼ Popular Resources SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats [Guide] Learn How to Govern AI Agents With Proven Market Guidance [Demo] Discover SaaS Risks and Monitor Every App in Your Environment Detect AI-Driven Threats Faster With Full Network Visibility