Massive Exploitation of Ivanti EPMM Vulnerabilities Traced to Single IP Address
Recent investigations have uncovered that a significant majority of exploitation attempts targeting a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) originate from a single IP address associated with bulletproof hosting services provided by PROSPERO.
Between February 1 and 9, 2026, threat intelligence firm GreyNoise documented 417 exploitation sessions stemming from eight distinct source IP addresses. Remarkably, 346 of these sessions—accounting for 83% of the total—were traced back to the IP address 193.24.123[.]42.
The primary focus of these malicious activities is the exploitation of CVE-2026-1281, a critical vulnerability with a CVSS score of 9.8. This flaw, along with CVE-2026-1340, allows attackers to execute remote code without authentication. Ivanti has acknowledged a limited number of customers affected by zero-day exploits targeting these vulnerabilities.
The impact of these vulnerabilities has been widespread. Several European organizations, including the Netherlands’ Dutch Data Protection Authority (AP), the Council for the Judiciary, the European Commission, and Finland’s Valtori, have reported being targeted by unknown threat actors leveraging these flaws.
Further analysis indicates that the same IP address has been concurrently exploiting three other unrelated vulnerabilities:
– CVE-2026-21962 (Oracle WebLogic): 2,902 sessions
– CVE-2026-24061 (GNU InetUtils telnetd): 497 sessions
– CVE-2025-24799 (GLPI): 200 sessions
GreyNoise observed that this IP address rotates through over 300 unique user agent strings, encompassing various browsers and operating systems. This diversity, coupled with the simultaneous exploitation of multiple software products, suggests the use of automated tools.
Notably, PROSPERO is linked to another autonomous system, Proton66, known for distributing malware such as GootLoader, Matanbuchus, SpyNote, Coper (also known as Octo), and SocGholish.
An alarming aspect of these exploitation sessions is that 85% of them utilized the domain name system (DNS) to verify the exploitability of targets without deploying malware or exfiltrating data.
In a related development, cybersecurity firm Defused Cyber reported a sleeper shell campaign. This campaign involved deploying a dormant in-memory Java class loader to compromised EPMM instances at the path /mifs/403.jsp. Such activity is indicative of initial access brokers, who establish footholds in systems to later sell or transfer access for financial gain.
Defused Cyber highlighted the significance of this pattern, noting that out-of-band application security testing (OAST) callbacks suggest the campaign is cataloging vulnerable targets rather than deploying payloads immediately. This approach aligns with initial access operations that first verify exploitability before deploying further tools.
In light of these findings, Ivanti EPMM users are strongly advised to:
– Apply Patches: Ensure all security patches are up to date to mitigate known vulnerabilities.
– Audit Infrastructure: Review internet-facing Mobile Device Management (MDM) systems for potential vulnerabilities.
– Monitor DNS Logs: Look for OAST-pattern callbacks that may indicate reconnaissance activities.
– Inspect for Unauthorized Files: Check for the presence of the /mifs/403.jsp path on EPMM instances, which may signal compromise.
– Block Malicious IPs: Implement network perimeter controls to block PROSPERO’s autonomous system (AS200593).
GreyNoise emphasized the critical nature of these threats, stating that compromising EPMM provides attackers with access to an organization’s device management infrastructure. This access can serve as a platform for lateral movement, effectively bypassing traditional network segmentation defenses.
Organizations with internet-facing MDM systems, VPN concentrators, or other remote access infrastructure should operate under the assumption that these systems are potential targets. Proactive measures, including regular patching, vigilant monitoring, and robust access controls, are essential to defend against these sophisticated exploitation attempts.
