Ivanti RCE attacks have been largely attributed to a single threat actor, responsible for a shocking 83% of recent exploits targeting vulnerabilities CVE-2026-21962 and CVE-2026-24061 in Ivanti Endpoint Manager Mobile (EPMM). This critical security flaw allows unauthenticated attackers to inject code and achieve remote code execution (RCE) on vulnerable systems.
According to threat intelligence from GreyNoise, a single IP address is the primary source of this malicious activity. This IP, hosted on bulletproof infrastructure, underscores the severity and focused nature of these exploits. Ivanti has released hotfixes to address these vulnerabilities, which were actively exploited in zero-day attacks.
Understanding the Scope of Ivanti RCE Attacks
Between February 1st and 9th, GreyNoise observed 417 exploitation sessions originating from eight unique source IP addresses. The dominant IP address, 193[.]24[.]123[.]42, accounted for 83% of this activity. This IP is hosted by PROSPERO OOO (AS200593), an autonomous system known for its use in targeting various software products.
A significant spike in activity occurred on February 8th, with 269 recorded sessions – nearly 13 times the daily average. Further analysis revealed that 85% of these sessions used OAST-style DNS callbacks to verify command execution capability, suggesting initial access broker activity.
The concentration of exploitation activity around a single IP highlights the need for defenders to look beyond widely published IOC lists.
Bulletproof Infrastructure and Multi-Targeting
The IP address responsible for the majority of the Ivanti RCE attacks is not exclusively targeting Ivanti products. It was also observed exploiting vulnerabilities in Oracle WebLogic (CVE-2026-21962), GNU Inetutils Telnetd (CVE-2026-24061), and GLPI (CVE-2025-24799). The Oracle WebLogic flaw saw the highest volume of exploitation, followed by the Telnetd issue. This suggests a broad-based attack strategy aimed at compromising multiple systems.
Exploitation activity appears to be fully automated, with the attacker rotating through hundreds of user agents. This indicates a sophisticated and well-resourced operation. related Fraudulents news
Mitigation and Remediation Strategies
While Ivanti has released fixes for CVE-2026-1281 and CVE-2026-1340, these are not permanent solutions. The company plans to release complete patches with EPMM version 12.8.0.0 in the first quarter of this year. Until then, Ivanti recommends using RPM packages 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0.
The most conservative approach is to rebuild the EPMM instance and migrate all data to the new instance.
Focus on Ivanti RCE Attacks
The concentration of these Ivanti RCE attacks underscores the importance of proactive security measures and continuous monitoring. Organisations should prioritize patching vulnerable systems and implementing robust threat detection mechanisms.
Source: BleepingComputer




