Ethical Hacking News
GreyNoise has discovered that 83% of Ivanti EPMM exploits are linked to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. This alarming finding highlights the growing sophistication of cyber threats and underscores the critical importance of prompt patching and proactive security measures.
GreyNoise found that 83% of Ivanti EPMM exploits are linked to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. The vulnerability, CVE-2026-1281, is one of two critical security vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Malicious activity targeting these vulnerabilities has been reported globally, including in European agencies and organizations. The single IP address, 193.24.123[.]42, accounts for an astonishing 83% of all attempts to exploit the vulnerability. Automated tooling is suspected due to the diversity of user agents and concurrent exploitation of multiple software products. Ivanti EPMM users are advised to apply patches immediately and review DNS logs for suspicious activity.
Threat Intelligence Firm GreyNoise Discovers 83% of Ivanti EPMM Exploits Linked to Single IP Address on Bulletproof Hosting Infrastructure, Exposing Critical Security Vulnerabilities
In a recent revelation that highlights the evolving threat landscape, a prominent threat intelligence firm has identified an alarming trend in the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM). GreyNoise, a renowned threat intelligence agency, has discovered that a staggering 83% of exploitation sessions linked to this vulnerability can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. This alarming finding underscores the growing sophistication and complexity of cyber threats, as well as the critical importance of prompt patching and proactive security measures.
The vulnerability in question, CVE-2026-1281, is one of two critical security vulnerabilities disclosed by Ivanti, along with CVE-2026-1340, which could be exploited to achieve unauthenticated remote code execution. The malicious activity designed to exploit these vulnerabilities has been reported to target a significant number of organizations worldwide, including multiple European agencies such as the Netherlands' Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Finland's Valtori.
GreyNoise revealed that 417 exploitation sessions were recorded from eight unique source IP addresses between February 1st and 9th, 2026. Notably, an estimated 346 of these exploitation sessions originated from a single IP address, 193.24.123[.]42, accounting for an astonishing 83% of all attempts. This singularly focused IP address is linked to PROSPERO's bulletproof hosting infrastructure, which has been identified as a hub for malicious activity.
Further analysis by GreyNoise revealed that the same host was simultaneously exploiting three other CVEs across unrelated software products, including:
* CVE-2026-21962 (Oracle WebLogic) - 2,902 sessions
* CVE-2026-24061 (GNU InetUtils telnetd) - 497 sessions
* CVE-2025-24799 (GLPI) - 200 sessions
The IP address in question is noted to rotate through over 300 unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants. This diversity of user agents, combined with concurrent exploitation of four unrelated software products, is indicative of automated tooling.
Moreover, the malicious actors involved have been observed beaconing their activities back home via domain name systems (DNS) to confirm that a target is exploitable without deploying any malware or exfiltrating data. This pattern is significant and suggests initial access operations where threat actors establish a foothold to sell or hand off access later for financial gain.
Ivanti EPMM users are strongly advised to apply the patches immediately, audit their internet-facing Mobile Device Management (MDM) infrastructure, review DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM instances. Additionally, organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure are recommended to operate under the assumption that critical vulnerabilities face exploitation within hours of disclosure.
In response to this growing threat landscape, Ivanti has emphasized the importance of patching and proactive security measures. The company's spokesperson shared a statement highlighting the effectiveness of applying the patch, noting that it requires no downtime and takes only seconds to apply. Ivanti has also provided customers with high-fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC-NL.
GreyNoise further underscored the severity of this threat, stating that CVE-2026-1281 and CVE-2026-1340 should be treated as equally urgent vulnerabilities. The firm is tracking both CVEs under a single deletion tag (CVE-2026-1281) and noted that organizations must treat both vulnerabilities with equal urgency.
In conclusion, the growing threat landscape highlighted by this incident underscores the critical importance of proactive security measures, timely patching, and effective threat intelligence. As organizations continue to navigate the complex and evolving cybersecurity landscape, it is essential to stay vigilant and adopt a proactive approach to protect against emerging threats.
GreyNoise has discovered that 83% of Ivanti EPMM exploits are linked to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. This alarming finding highlights the growing sophistication of cyber threats and underscores the critical importance of prompt patching and proactive security measures.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Growing-Threat-Landscape-Ivanti-EPMM-Exploits-Linked-to-Single-IP-on-Bulletproof-Hosting-Infrastructure-ehn.shtml
https://thehackernews.com/2026/02/83-of-ivanti-epmm-exploits-linked-to.html
https://nvd.nist.gov/vuln/detail/CVE-2026-1281
https://www.cvedetails.com/cve/CVE-2026-1281/
https://nvd.nist.gov/vuln/detail/CVE-2026-1340
https://www.cvedetails.com/cve/CVE-2026-1340/
https://nvd.nist.gov/vuln/detail/CVE-2026-21962
https://www.cvedetails.com/cve/CVE-2026-21962/
https://nvd.nist.gov/vuln/detail/CVE-2026-24061
https://www.cvedetails.com/cve/CVE-2026-24061/
https://nvd.nist.gov/vuln/detail/CVE-2025-24799
https://www.cvedetails.com/cve/CVE-2025-24799/
Published: Wed Feb 18 17:33:01 2026 by llama3.2 3B Q4_K_M
