Ivanti EPMM Under Fire: Single Bulletproof Host Drives Majority of Zero-Day Exploitation Attempts

Listen to this Post

Featured Image

Introduction

A newly disclosed set of critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) has rapidly become a focal point for large-scale exploitation, exposing how quickly enterprise infrastructure can be probed once a high-impact flaw goes public. Threat intelligence data now shows that the bulk of these attacks are not broadly distributed, but instead heavily concentrated, revealing a coordinated and automated campaign operating from bulletproof hosting tied to known cybercrime ecosystems.

the Original Report

A substantial portion of the exploitation attempts targeting Ivanti EPMM can be traced back to a single IP address hosted on bulletproof infrastructure operated by PROSPERO. According to GreyNoise, between February 1 and February 9, 2026, it observed 417 exploitation sessions originating from just eight unique IP addresses. Remarkably, 346 of those sessions—representing 83% of the total activity—came from one source: 193.24.123[.]42.

These attacks focus on CVE-2026-1281, a critical vulnerability with a CVSS score of 9.8, as well as CVE-2026-1340. Both flaws allow unauthenticated remote code execution, making them highly attractive to threat actors. Ivanti has confirmed that a limited number of customers were affected during early zero-day exploitation before patches were widely deployed.

The campaign has not been limited to private companies. Multiple European public institutions, including the Dutch Data Protection Authority, the Council for the Judiciary, the European Commission, and Finland’s Valtori agency, have publicly acknowledged being targeted through these vulnerabilities.

Further investigation revealed that the same IP address was simultaneously attempting to exploit other unrelated vulnerabilities across different software platforms. These include CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU InetUtils telnetd, and CVE-2025-24799 in GLPI, accounting for thousands of additional exploitation sessions. GreyNoise noted that the attacker rotated through more than 300 unique user-agent strings spanning multiple browsers and operating systems, a pattern consistent with automated exploitation tooling rather than manual intrusion attempts.

PROSPERO itself has been linked to the Proton66 autonomous system, an infrastructure previously associated with the distribution of malware families such as GootLoader, Matanbuchus, SpyNote, Octo, and SocGholish. Interestingly, 85% of the observed exploitation sessions did not deploy malware or steal data. Instead, they relied on DNS callbacks to confirm whether a target was vulnerable.

This behavior aligns with findings from Defused Cyber, which recently reported a “sleeper shell” campaign involving a dormant in-memory Java class loader deployed to compromised EPMM instances at the path “/mifs/403.jsp.” Such activity suggests the work of initial access brokers, who specialize in quietly gaining and verifying access to systems before selling that access to other criminal groups. Security researchers emphasize that organizations running internet-facing EPMM instances should patch immediately, audit DNS logs, monitor for suspicious paths, and block PROSPERO’s autonomous system at the perimeter.

What Undercode Say:

The Ivanti EPMM exploitation wave highlights a recurring and increasingly dangerous pattern in modern cybercrime: speed, automation, and monetization over immediate destruction. The fact that more than 80% of exploitation attempts originate from a single IP address is not a sign of amateurism, but of confidence. Bulletproof hosting providers like PROSPERO exist precisely to absorb abuse complaints and law-enforcement pressure, giving attackers a stable launchpad for aggressive scanning and exploitation.

What stands out is not just the focus on Ivanti, but the breadth of targets. Exploiting four unrelated products in parallel strongly suggests the use of a modular scanning and exploitation framework, likely maintained by an access broker or a service provider within the underground economy. This is not a targeted espionage campaign; it is infrastructure-level harvesting at scale.

The heavy use of rotating user-agent strings is another important signal. By mimicking hundreds of browser and operating system combinations, the attacker reduces the effectiveness of basic anomaly detection and signature-based defenses. Combined with DNS-based callbacks instead of immediate payload delivery, this approach minimizes noise while maximizing intelligence gathering. In simple terms, the attacker is quietly building a catalog of exploitable systems.

The involvement of European government agencies also underscores a persistent misconception: that public institutions are harder or less attractive targets. In reality, government MDM and remote access infrastructure can be even more valuable, offering privileged access to large fleets of managed devices and sensitive internal networks. Once EPMM is compromised, it effectively becomes a control plane for lateral movement, bypassing traditional segmentation and perimeter defenses.

The “sleeper shell” technique reported by Defused Cyber fits neatly into this picture. Dormant in-memory loaders are ideal for access brokers because they leave minimal forensic evidence and can be activated later, on demand. This delayed-use strategy allows attackers to sit on access until market demand rises, prices increase, or a buyer with specific objectives emerges.

From a defensive standpoint, the lesson is uncomfortable but clear. Patch timing is no longer measured in weeks or even days. For high-severity vulnerabilities in exposed infrastructure, exploitation can begin within hours, often before organizations have fully assessed their exposure. Blocking known malicious autonomous systems, monitoring DNS for out-of-band callbacks, and treating MDM platforms as high-risk assets are no longer optional practices.

Ultimately, the Ivanti EPMM case is less about a single vendor flaw and more about the maturity of the cybercrime supply chain. Initial access is now a commodity, and vulnerabilities like CVE-2026-1281 are simply raw materials feeding that market.

Fact Checker Results

The concentration of exploitation traffic from a single PROSPERO-hosted IP is supported by GreyNoise telemetry.
Claims of automated tooling are consistent with observed user-agent rotation and multi-CVE targeting.
No evidence contradicts the assessment that most sessions focused on exploit validation rather than payload delivery.

Prediction

Exploitation of Ivanti EPMM will likely continue even after patch adoption increases, as access brokers revisit previously scanned targets. Similar MDM and remote access platforms can expect accelerated probing following future disclosures. Over the next few months, compromised EPMM instances are likely to surface in secondary attacks, including ransomware and data-theft operations, as harvested access is resold across criminal networks.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon