Massive Exploitation of Ivanti EPMM RCE Vulnerability Traced to Single IP Address
A critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-1281, is currently under active exploitation. Alarmingly, 83% of these attacks originate from a single IP address: 193[.]24[.]123[.]42. This IP is registered to PROSPERO OOO (AS200593) and is labeled as bulletproof hosting by Censys. Notably, this IP was absent from many early indicators of compromise (IOCs) shared with defenders.
Understanding the Vulnerabilities
CVE-2026-1281 carries a CVSS score of 9.8, indicating its critical severity. It allows unauthenticated attackers to execute system commands by exploiting Bash arithmetic expansion in backend file-delivery scripts. A second vulnerability, CVE-2026-1340, also with a CVSS score of 9.8, enables similar code execution in another EPMM component.
Ivanti released an advisory on January 29, highlighting these vulnerabilities. Shortly thereafter, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog. Dutch authorities later confirmed breaches at the Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR), indicating that attacks were already underway before many organizations had applied patches.
Exploitation Patterns and Observations
Between February 1 and 9, GreyNoise recorded 417 exploitation sessions from eight IP addresses. On February 8 alone, 269 sessions were observed, approximately 13 times the earlier daily average. The primary IP, 193[.]24[.]123[.]42, is also linked to attacks on Oracle WebLogic Server, GNU Inetutils telnetd, and GLPI. The attacker employs hundreds of user-agent strings, suggesting automated mass exploitation.
Challenges in Identifying Indicators of Compromise
Some widely shared IOCs did not align with Ivanti exploitation data. For instance, Windscribe VPN exit nodes on M247 infrastructure generated significant traffic, but none targeted Ivanti EPMM. Another IOC pointed to a residential router used only for limited activity. Organizations that blocked only those VPN or residential IPs, but not AS200593, may have overlooked the primary threat source.
Advanced Tactics and Persistent Threats
Approximately 85% of payloads used DNS callbacks to confirm code execution instead of immediately deploying malware. This behavior aligns with initial access broker tactics. Reports also describe sleeper webshells at /mifs/403.jsp that remain dormant until triggered. This means even patched systems could remain compromised if attackers gained access before remediation.
Recommendations for Organizations
Given the severity and active exploitation of these vulnerabilities, organizations using Ivanti EPMM should take immediate action:
1. Apply Patches Promptly: Ensure that all systems are updated with the latest patches provided by Ivanti to address CVE-2026-1281 and CVE-2026-1340.
2. Monitor Network Traffic: Implement monitoring solutions to detect unusual traffic patterns, especially from IP addresses associated with known malicious activities.
3. Review Access Logs: Regularly review access logs for signs of unauthorized access or exploitation attempts.
4. Implement Network Segmentation: Limit the exposure of critical systems by segmenting networks and restricting access to essential services only.
5. Educate Staff: Provide training to IT staff on recognizing and responding to potential exploitation attempts and the importance of timely patching.
Conclusion
The exploitation of Ivanti EPMM vulnerabilities underscores the persistent threats posed by cyber attackers and the importance of proactive cybersecurity measures. Organizations must remain vigilant, apply patches promptly, and monitor their systems continuously to mitigate the risks associated with such vulnerabilities.
