A large share of recent exploitation attempts targeting a critical security flaw in Ivanti Endpoint Manager Mobile EPMM has been traced to a single IP address operating on bulletproof hosting infrastructure provided by PROSPERO. According to threat intelligence firm GreyNoise, 83 percent of observed exploit activity between February 1 and 9, 2026 originated from one source, highlighting a concentrated campaign aimed at compromising vulnerable systems. The activity centers on CVE-2026-1281, a critical vulnerability with a CVSS score of 9.8, which alongside CVE-2026-1340 could allow unauthenticated remote code execution on affected EPMM instances.
GreyNoise reported recording 417 exploitation sessions from eight unique source IP addresses during the observation period. Of these, an estimated 346 sessions were traced to 193.24.123[.]42, accounting for the majority of attempts. Ivanti had previously acknowledged that a limited number of customers were impacted following zero day exploitation of the vulnerabilities disclosed late last month. Since that disclosure, several European entities have confirmed they were targeted using the same flaws, including Netherlands Dutch Data Protection Authority AP, Council for the Judiciary, European Commission, and Finland Valtori. The incidents indicate that threat actors moved quickly to capitalize on publicly known weaknesses in internet facing mobile device management infrastructure.
Further technical analysis revealed that the same IP address has simultaneously targeted three additional vulnerabilities across unrelated platforms. These include CVE-2026-21962 affecting Oracle WebLogic, which saw 2,902 exploitation sessions, CVE-2026-24061 in GNU InetUtils telnetd with 497 sessions, and CVE-2025-24799 impacting GLPI with 200 sessions. GreyNoise noted that the IP rotates through more than 300 distinct user agent strings spanning Chrome, Firefox, Safari, and various operating systems. This diversity in fingerprinting patterns, combined with concurrent exploitation of four separate software products, suggests the use of automated tooling rather than manual intrusion attempts. The infrastructure behind the activity is linked to PROSPERO, which researchers assess to be connected to Proton66, an autonomous system previously associated with distributing malware families such as GootLoader, Matanbuchus, SpyNote, Coper also known as Octo, and SocGholish.
GreyNoise also observed that 85 percent of exploitation sessions conducted out of band application security testing callbacks through DNS to verify whether targets were exploitable, without immediately deploying malware or extracting data. This pattern aligns with findings from Defused Cyber, which recently reported a sleeper shell campaign deploying a dormant in memory Java class loader to compromised EPMM systems at the path /mifs/403.jsp. Researchers indicated that the behavior resembles initial access broker tradecraft, where attackers establish a foothold and later sell or transfer that access for financial gain. Organizations using Ivanti EPMM are advised to apply available patches, audit internet facing MDM deployments, review DNS logs for suspicious callbacks, monitor for activity at the specified path, and consider blocking PROSPERO autonomous system AS200593 at the network perimeter. GreyNoise emphasized that compromise of EPMM can grant access to device management infrastructure across entire organizations, potentially enabling lateral movement that bypasses conventional network segmentation controls.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
