A newly discovered vulnerability in Ivanti Endpoint Manager Mobile (EPMM) is being heavily exploited, with most attempts traced back to a single IP address linked to a bulletproof hosting provider named PROSPERO. According to GreyNoise, a threat intelligence organization, 83% of the 417 exploitation sessions detected between February 1 and 9, 2026, originated from the IP address 193.24.123[.]42.
Exploit Details and Impact
The vulnerability in question, identified as CVE-2026-1281, holds a critical CVSS score of 9.8 and is one of two severe flaws in EPMM. The second flaw, CVE-2026-1340, also presents a risk of unauthenticated remote code execution. Ivanti has acknowledged that a limited number of customers have been affected by these zero-day exploits.
European agencies such as the Dutch Data Protection Authority, the European Commission, and Finland’s Valtori have reported being targeted by threat actors leveraging these vulnerabilities. The exploitation is characterized by the use of over 300 unique user agent strings, indicating automated tools are in play.
Connection to Broader Threat Activities
Further investigation reveals that the same IP address is engaging in attacks on three other CVEs across different software platforms. GreyNoise underscores that the automation of these attacks aligns with practices observed in other cyber threats.
PROSPERO, the hosting service tied to the IP, is linked with Proton66, an autonomous system known for distributing malicious software like GootLoader and Matanbuchus. Approximately 85% of the exploit attempts utilized the domain name system (DNS) to verify vulnerabilities without deploying malware, suggesting a focus on gathering intelligence for potential future attacks.
Protective Measures and Recommendations
In light of these findings, cybersecurity experts recommend that Ivanti EPMM users apply available patches promptly, inspect their Mobile Device Management (MDM) infrastructure, and scrutinize DNS logs for signs of exploitation activities. Monitoring the /mifs/403.jsp path on EPMM systems and blocking PROSPERO’s autonomous system (AS200593) at network perimeters is advised.
GreyNoise highlights the significant risk posed by compromised EPMM systems, which could enable lateral movement within organizational networks, bypassing traditional security measures. Organizations with internet-facing MDM or remote access systems should assume vulnerabilities will be exploited shortly after discovery.
In conclusion, the exploitation of Ivanti EPMM’s vulnerabilities by a single IP address underscores the need for heightened security measures and quick patch management to mitigate potential breaches.
