A significant portion of the exploitation attempts targeting a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) has been traced back to a single IP address leveraging bulletproof hosting infrastructure. Threat intelligence firm GreyNoise reported that out of 417 exploitation sessions observed between February 1 and 9, 2026, an overwhelming 83% originated from IP address 193.24.123[.]42.
This concentrated activity is aimed at exploiting CVE-2026-1281, a critical security flaw in Ivanti EPMM that carries a CVSS score of 9.8. This vulnerability, alongside CVE-2026-1340, allows for unauthenticated remote code execution. Ivanti confirmed late last month that a “very limited number” of customers had been impacted by the zero-day exploitation of these issues.
Highly Concentrated Exploitation of Ivanti EPMM Vulnerability
The targeted exploitation of the Ivanti EPMM vulnerability is notable for its concentrated origin. GreyNoise’s analysis revealed that 346 of the 417 observed exploitation sessions stemmed from the single IP address, 193.24.123[.]42. The remaining exploitation attempts were spread across seven other unique source IP addresses, highlighting the dominant role of the identified bulletproof hosting instance.
This malicious activity is designed to exploit CVE-2026-1281, one of two critical security vulnerabilities identified in EPMM. Combined with CVE-2026-1340, these flaws enable an attacker to achieve unauthenticated remote code execution. Ivanti has stated it is aware of a “very limited number of customers” affected by the zero-day exploitation of these specific vulnerabilities.
Broader Exploitation Patterns and Infrastructure
Further analysis by GreyNoise indicates that the same attacker-controlled host has been simultaneously attempting to exploit three other unrelated CVEs across different software products. This indicates a pattern of automated tooling actively probing for weaknesses across a broad attack surface.
The IP address in question exhibits diverse user agent strings, mimicking legitimate browsers such as Chrome, Firefox, and Safari, across various operating system variants. This diversity, coupled with the simultaneous exploitation of multiple unrelated software products, suggests the use of sophisticated automated tools to identify and compromise vulnerable systems.
The bulletproof hosting infrastructure utilized in these attacks is associated with PROSPERO. This entity is believed to be linked to another autonomous system known as Proton66, which has a documented history of distributing various types of malware, including desktop and Android variants like GootLoader, Matanbuchus, SpyNote, Coper (also known as Octo), and SocGholish. This connection suggests a well-established and potentially sophisticated threat actor group.
A significant observation from GreyNoise is that approximately 85% of the exploitation sessions employ out-of-band application security testing (OAST) callbacks via DNS. This technique is used to confirm target exploitability without immediately deploying malware or exfiltrating data, a common tactic for initial access brokers.
This disclosure follows a report from Defused Cyber detailing a “sleeper shell” campaign. This campaign deployed a dormant in-memory Java class loader to compromised EPMM instances, specifically at the path “/mifs/403.jsp.” Defused Cyber characterized this activity as indicative of initial access broker tradecraft, where threat actors establish a foothold with the intention of later selling or handing off access for financial gain.
The pattern of OAST callbacks is particularly significant, according to threat researchers. It points to a campaign focused on cataloging vulnerable targets rather than immediate payload deployment. This approach aligns with initial access operations that prioritize verifying exploitability before introducing further malicious tooling.
Recommendations and Implications for Organizations
Ivanti EPMM users are strongly advised to apply the available patches promptly. Additionally, organizations should audit their internet-facing Mobile Device Management (MDM) infrastructure, review DNS logs for OAST-pattern callbacks, and monitor EPMM instances for activity related to the “/mifs/403.jsp” path. Blocking PROSPERO’s autonomous system (AS200593) at the network perimeter is also recommended.
The compromise of EPMM infrastructure provides attackers with direct access to an organization’s device management capabilities. This can serve as a powerful platform for lateral movement, effectively bypassing traditional network segmentation defenses. Organizations that operate internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities are likely to face exploitation within hours of their disclosure.
Moving forward, organizations will need to remain vigilant in monitoring their networks for indicators of compromise, particularly related to the identified vulnerabilities and infrastructure. The current focus on OAST callbacks suggests a measured approach by threat actors, indicating a potential period of reconnaissance before more destructive payloads are deployed. The continuous evolution of cyber threats necessitates proactive security measures and rapid patch management.