Single Actor Drives 83% of Ivanti EPMM RCE Attacks

Executive Summary

Threat intelligence indicates a highly concentrated and automated campaign targeting two critical, actively exploited zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM): CVE-2026-21962 and CVE-2026-24061. A single, unidentified threat actor operating from bulletproof infrastructure is responsible for over 83% of observed exploitation attempts. The primary Indicator of Compromise (IOC) associated with this activity is not present in widely published lists, meaning organizations relying solely on public threat feeds are likely missing the dominant threat vector. Immediate patching and proactive threat hunting are required.

Key Findings

Concentrated Threat Source

Intelligence from GreyNoise shows that between February 1st and 9th, 83% of 417 observed exploitation sessions originated from a single IP address: 193[.]24[.]123[.]42. This IP is hosted by PROSPERO OOO (AS200593), an autonomous system identified as bulletproof infrastructure used for malicious activities. A significant spike occurred on February 8th, with 269 sessions recorded in a single day.

Attack Vector and Automation

Adversaries are leveraging CVE-2026-21962 and CVE-2026-24061 to achieve unauthenticated remote code execution (RCE). Analysis shows 85% of exploitation sessions used OAST-style DNS callbacks to verify command execution, a technique commonly associated with Initial Access Brokers (IABs) preparing assets for follow-on attacks. The campaign appears fully automated, rotating through approximately three hundred different user agents.

Ineffective Public IOC Lists

Crucially, the dominant attack source IP (193[.]24[.]123[.]42) is not on widely published IOC lists for this threat. Defenders blocking only published indicators are likely failing to mitigate the primary source of these attacks. Furthermore, some public IOCs, such as IPs from the 185[.]212[.]171[.]0/24 (Windscribe VPN) range, were observed scanning for Oracle WebLogic vulnerabilities, not exploiting Ivanti products.

Multi-Vulnerability Campaign

The actor behind IP 193[.]24[.]123[.]42 is simultaneously targeting multiple vulnerabilities from the same infrastructure, indicating a broad, opportunistic campaign. In addition to the Ivanti flaws, this IP was observed launching 2,902 attack sessions against CVE-2026-21962 in Oracle WebLogic, 497 sessions against CVE-2026-24061 in GNU Inetutils Telnetd, and attacks against CVE-2025-24799 in GLPI.

Mitigation & Recommendations

Immediate Actions

• Patch Immediately: Ivanti has released hotfixes. The vendor states the patch requires no downtime. Applying the patch is the most effective mitigation. Use RPM packages 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0.
• Run Detection Scripts: Utilize the Exploitation Detection script provided by Ivanti and NCSC NL to review appliances for signs of exploitation that occurred prior to patching.

Threat Hunting & IOCs

• Update Blocklists: Add IP address 193[.]24[.]123[.]42 to firewall blocklists and SIEM monitoring rules with high priority.
• Analyze DNS Logs: Hunt for evidence of OAST-style DNS callbacks from external-facing infrastructure, which could indicate successful command execution verification.
• Re-evaluate IOC Feeds: Do not rely solely on publicly published IOCs. This incident demonstrates that sophisticated actors can operate outside of known indicators.

Strategic Recommendations

• Plan for Permanent Patch: Ivanti has stated that current fixes are temporary. Prepare for the deployment of the complete patch in EPMM version 12.8.0.0, scheduled for Q1 of this year.
• Consider Instance Rebuild: Per vendor guidance, the most conservative approach is to build a new, clean EPMM instance and migrate all data. This mitigates the risk of persistent compromise on an exploited appliance.