A concentrated wave of exploitation targeting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) is being traced back to a single source: an IP address hosted on what security researchers are calling “bulletproof” infrastructure. The activity, centered around vulnerabilities CVE-2026-21962 and CVE-2026-24061, highlights the challenges of attribution and defense in the face of sophisticated attackers.
GreyNoise, a threat intelligence firm, has determined that approximately 83% of observed exploitation attempts originate from the IP address 193.24.123.42, which is hosted by PROSPERO OOO (AS200593). Censys has identified PROSPERO OOO as a bulletproof autonomous system – a network designed to tolerate malicious activity, making it difficult to disrupt attackers operating within it.
The vulnerabilities in Ivanti EPMM allow for remote code execution (RCE) without authentication, meaning an attacker can inject and run malicious code on vulnerable systems. Ivanti issued security advisories and hotfixes in response to reports of zero-day exploitation, but the ongoing activity demonstrates the speed at which attackers are attempting to capitalize on these flaws.
Between February 1st and 9th, 2026, GreyNoise observed 417 exploitation sessions targeting these vulnerabilities from eight unique IP addresses. The concentration of activity on February 8th – 269 sessions in a single day – represents a significant spike, nearly thirteen times the daily average of 22 sessions.
Further analysis reveals a pattern of initial access broker activity. A substantial 85% of the exploitation sessions (354 out of 417) utilized OAST-style DNS callbacks to verify command execution, a technique commonly employed by attackers seeking to establish a foothold within a network.
Interestingly, publicly shared indicators of compromise (IoCs) haven’t accurately reflected the primary source of the attacks. GreyNoise’s research indicates that several widely circulated IoCs point to IP addresses associated with Windscribe VPN, which were observed scanning for Oracle WebLogic instances – not exploiting the Ivanti vulnerabilities. This discrepancy suggests that defenders relying solely on these published indicators may be missing the most significant threat actor.
The single IP address responsible for the majority of the Ivanti exploitation isn’t limiting its activity to a single vulnerability. GreyNoise has observed the same IP simultaneously exploiting three other distinct vulnerabilities: CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU InetUtils telnetd, and CVE-2025-24799 in GLPI. The Oracle WebLogic flaw saw the highest volume of exploitation sessions, with 2,902 recorded, followed by the Telnetd vulnerability at 497 sessions.
The attacker appears to be employing fully automated tooling, rotating through over 300 unique user agent strings – mimicking various browsers and operating systems – to evade detection. This fingerprint diversity, combined with the simultaneous exploitation of multiple unrelated software products, points to a highly sophisticated and adaptable operation.
Ivanti has released RPM packages to mitigate the vulnerabilities, and recommends a complete rebuild of the EPMM instance as the most conservative approach. The company’s long-term fix, version 12.8.0.0 of EPMM, is slated for release in the first quarter of 2026.
In a statement to BleepingComputer, an Ivanti spokesperson reiterated the importance of patching, stating that applying the patch “is the most effective way to prevent exploitation, regardless of how IOCs change over time, especially once a POC is available.” The spokesperson also highlighted the availability of an exploitation detection script developed in collaboration with the Netherlands National Cyber Security Centre (NCSC-NL).
The situation underscores the ongoing challenges of defending against targeted attacks, particularly when attackers leverage bulletproof infrastructure and employ sophisticated evasion techniques. The discrepancy between published IoCs and the actual source of exploitation highlights the need for robust threat intelligence and proactive monitoring to effectively detect and respond to these threats.
