Recent findings reveal that a staggering 83% of Ivanti EPMM exploits can be traced back to a single IP address associated with bulletproof hosting infrastructure. This alarming statistic highlights the pressing need for organizations using Ivanti Endpoint Manager Mobile (EPMM) to remain vigilant against potential threats and vulnerabilities. With robust cyber threats evolving daily, understanding the landscape of these exploits offers a valuable opportunity for organizations to secure their infrastructure. In this article, we will explore the recent revelations surrounding Ivanti EPMM exploits, the vulnerabilities being targeted, and actionable steps companies can take to protect their assets.
Understanding the Rise of Ivanti EPMM Exploits
The cybersecurity landscape is continually shifting, and the recent activity surrounding the Ivanti EPMM exploits serves as a stark reminder of how critical it is to stay updated on vulnerabilities. The threat intelligence firm GreyNoise reported that between February 1 and 9, 2026, there were 417 recorded exploitation sessions from just eight unique source IP addresses. Remarkably, 346 of these sessions originated from a single IP address: 193.24.123[.]42, which alone accounted for a staggering 83% of all attempted exploits.
This single IP attack exemplifies the trend where attackers utilize automated tools to probe for weaknesses in high-value targets. In this case, the CVE-2026-1281 vulnerability was abused by malicious actors to achieve unauthenticated remote code execution, significantly jeopardizing organizations relying on Ivanti’s mobile management solutions.
Recent Vulnerabilities Targeting Ivanti EPMM
Among the two critical vulnerabilities identified, CVE-2026-1281 stands out with a CVSS score of 9.8, indicating its severity. Alongside this, CVE-2026-1340 also presents a serious risk for exploitation. The urgency surrounding these vulnerabilities has led many European agencies, including the Netherlands’ Dutch Data Protection Authority and Finland’s Valtori, to disclose being directly targeted.
The exploit activity isn’t just restricted to Ivanti. Remarkably, the same IP address has been linked to attempts at exploiting three other CVEs across unrelated software. These include:
- CVE-2026-21962 (Oracle WebLogic) – 2,902 sessions
- CVE-2026-24061 (GNU InetUtils telnetd) – 497 sessions
- CVE-2025-24799 (GLPI) – 200 sessions
This simultaneous targeting of multiple vulnerabilities underscores the sophisticated and methodical nature of the current threat landscape.
The Mechanism of Exploitation
GreyNoise reported that the malicious IP rotates through over 300 unique user agent strings, including Chrome, Firefox, and Safari, across various operating systems. This fingerprint diversity indicates the use of automated tooling for exploitation, allowing attackers to probe various systems simultaneously for weaknesses.
Notably, 85% of the exploitation sessions were initiated without the deployment of malware or exfiltrating data. Instead, it appears that these attackers were merely confirming the exploitability of their targets by beaconing back home through the domain name system (DNS). Such behavior suggests a preliminary assessment phase where attackers gather intelligence before executing more damaging attacks.
Recommended Actions for Organizations
To protect against the risks posed by Ivanti EPMM exploits, it is crucial for organizations to adopt a proactive stance. Here are several recommended steps:
- Apply patches immediately: If your organization has not yet patched the identified vulnerabilities, this should be the top priority.
- Audit internet-facing MDM infrastructure: Regularly assess your Mobile Device Management (MDM) systems for potential access points that could be exploited.
- Monitor DNS logs: Keep a close eye on your DNS logs for any unusual activity or sign of exploitation attempts.
- Block malicious IPs: Consider blocking PROSPERO’s autonomous system (AS200593) at your network perimeter.
These measures are critical in maintaining the integrity of your device management infrastructure, as compromised EPMM can open pathways for further attacks within your organization.
Conclusion: The Importance of Vigilance
The intelligence regarding Ivanti EPMM exploits serves as a crucial alert for organizations utilizing this mobile management platform. The fact that a single IP was responsible for 83% of exploitation attempts showcases a concentrated effort by malicious actors targeting unpatched vulnerabilities. Companies are advised to stay ahead of these threats by applying necessary patches, conducting regular audits, and implementing stringent monitoring strategies. As demonstrated by the ongoing cyber threat landscape, failing to address these vulnerabilities can lead to significant repercussions. Stay informed, remain vigilant, and protect your organization’s assets to mitigate the risk of becoming the next victim of such exploits.
To deepen this topic, check our detailed analyses on Cybersecurity section
