Eighty-three percent of attempted attacks harnessing the critical Ivanti Endpoint Manager Mobile software vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, between Feb. 1 and Feb. 9 have stemmed from the IP address 193.24.123[.]42, which is on PROSPERO's bulletproof hosting infrastructure, The Hacker News reports.Apart from the Ivanti EPMM flaws, which were reported to have been used to target several government agencies across Europe, the IP address also exploited the Oracle WebLogic bug, tracked as CVE-2026-21962, the GNU InetUtils telnetd bug, tracked as CVE-2026-24061, and the GLPI issue, tracked as CVE-2025-24799, during the same period, according to a GreyNoise report."The IP rotates through 300+ unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants," said GreyNoise researchers, who noted that the diverse and concurrent intrusions indicated automated tooling.Such findings follow a Defused Cyber report detailing that vulnerable Ivanti EPMM instances have been compromised with a dormant in-memory Java class loader through the "/mifs/403.jsp" path."OAST [out-of-band application security testing] callbacks indicate the campaign is cataloging which targets are vulnerable rather than deploying payloads immediately," said Defused Cyber researchers.On Feb. 13, an Ivanti spokesperson said the company's recommendation remains the same: "Customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching. Applying the patch is the most effective way to prevent exploitation, regardless of how IOCs change over time, especially once a POC is available. The patch requires no downtime and takes only seconds to apply."Ivanti has provided customers with high fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC NL, and continues to support customers as we respond to this threat."
Vulnerability Management, Threat Intelligence
Clandestine IP primarily behind attacks exploiting Ivanti EPMM bugs

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



