83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

• 83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. • Threat intelligence firm GreyNoisesaidit recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. • An estimated 346 exploitation sessions have originated from 193.24.123[.]42, accounting for 83% of all attempts. • The malicious activity is designed to exploitCVE-2026-1281(CVSS scores: 9.8), one of the two critical security vulnerabilities in EPMM, along withCVE-2026-1340that could be exploited by an attacker to achieve unauthenticated remote code execution. • Late last month, Ivanti acknowledged it’s aware of a “very limited number of customers” who were impacted following the zero-day exploitation of the issues. • Since then, multiple European agencies, including the Netherlands’ Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Finland’s Valtori, havedisclosedthat they were targeted by unknown threat actors using the vulnerabilities.

Article Summaries:

• A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. An estimated 346 exploitation sessions have originated from 193.24.123[.]42, accounting for 83% of all attempts. The malicious activity is designed to exploit CVE-2026-1281 (CVSS scores: 9.8), one of the two critical securi
• Threat activity this week shows one consistent signal - attackers are leaning harder on what already works. Instead of flashy new exploits, many operations are built around quiet misuse of trusted tools, familiar workflows, and overlooked exposures that sit in plain sight. Another shift is how access is gained versus how it’s used. Initial entry points are getting simpler, while post-compromise activity is becoming more deliberate, structured, and persistent. The objective is less about disruption and more about staying embedded long enough to extract value. There’s also growing overlap betwee
• Update: The article initially listed the wrong CVEs. This has now been corrected to list the CVEs: CVE-2026-1286 and CVE-2026-1340 Threat intelligence observations show that a single threat actor is responsible for most of the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340. The security issues have been flagged as actively exploited in zero-day attacks in Ivanti’s security advisory, where the company also announced hotfixes. Both flaws received a critical severity rating and allow an attacker to inject co

Sources:

• https://thehackernews.com/2026/02/83-of-ivanti-epmm-exploits-linked-to.html
• https://thehackernews.com/2026/02/threatsday-bulletin-ai-prompt-rce.html
• https://www.bleepingcomputer.com/news/security/one-threat-actor-responsible-for-83-percent-of-recent-ivanti-rce-attacks/