Ivanti RCE attacks have been largely attributed to a single threat actor, responsible for a shocking 83% of recent exploitation attempts targeting CVE-2026-21962 and CVE-2026-24061 in Ivanti Endpoint Manager Mobile (EPMM). These critical vulnerabilities, actively exploited in zero-day attacks, allow for remote code execution (RCE) without authentication, prompting Ivanti to release urgent hotfixes.
According to threat intelligence from GreyNoise, a single IP address hosted on bulletproof infrastructure is the primary source of this malicious activity. Between February 1st and 9th, their monitoring platform identified 417 exploitation sessions originating from eight unique source IPs, all focused on exploiting CVE-2026-21962 and CVE-2026-24061.
The dominant IP address, 193[.]24[.]123[.]42, is hosted by PROSPERO OOO (AS200593), an autonomous system previously identified by Censys analysts as a bulletproof host used for targeting various software products. The activity peaked on February 8th, with 269 recorded sessions, a significant increase from the daily average of 22 sessions.
Of the 417 exploitation sessions, 85% utilized OAST-style DNS callbacks to confirm command execution capability, suggesting initial access broker (IAB) activity. This implies the attacker is likely selling access to compromised systems to other malicious actors.
“Defenders blocking only published indicators are likely missing the dominant exploitation source.”
The Scope of Ivanti RCE Attacks
Interestingly, while some published Indicators of Compromise (IoCs) include IP addresses associated with Windscribe VPN (185[.]212[.]171[.]0/24), these were observed scanning Oracle WebLogic instances, but not engaged in Ivanti exploitation.
The PROSPERO OOO IP address isn’t solely focused on Ivanti. It was also observed exploiting CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU Inetutils Telnetd, and CVE-2025-24799 in GLPI. The Oracle WebLogic vulnerability saw the highest volume of exploitation attempts, with 2,902 sessions, followed by the Telnetd issue with 497 sessions.
Mitigation and Remediation
Ivanti’s initial fixes for CVE-2026-1281 and CVE-2026-1340 are temporary. The company has promised to release complete patches in the first quarter of this year with the release of EPMM version 12.8.0.0. Until then, it’s recommended to use RPM packages 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0.
Ivanti advises that the most secure approach involves rebuilding the EPMM instance and migrating all data. Instructions for this process are available on their forums. For more related Fraudulents news, stay tuned to The Financial Standard.
Staying Ahead of Cyber Threats
The vendor also notes that exploitation activity appears fully automated, rotating between hundreds of user agents. The discovery that one actor is responsible for the majority of these Ivanti RCE attacks underscores the importance of proactive threat hunting and robust security measures.
Organizations using Ivanti EPMM should immediately apply the recommended mitigations and monitor their systems for suspicious activity. This incident also highlights the critical role of threat intelligence in identifying and blocking malicious actors before they can cause significant damage.
Source: BleepingComputer




