Menace intelligence observations present {that a} single menace actor is liable for a lot of the energetic exploitation of two important vulnerabilities in Ivanti Endpoint Supervisor Cellular (EPMM), tracked as CVE-2026-21962 and CVE-2026-24061.
The safety points have been flagged as actively exploited in zero-day assaults in Ivanti’s safety advisory, the place the corporate additionally introduced hotfixes.
Each flaws obtained a important severity score and permit an attacker to inject code with out authentication, resulting in distant code execution (RCE) on weak programs.
A single IP deal with hosted on bulletproof infrastructure is liable for over 83% of exploitation exercise associated to the 2 vulnerabilities, says threat-focused web intelligence firm GreyNoise.
Between February 1st and ninth, the monitoring platform noticed 417 exploitation classes originating from 8 distinctive supply IP addresses, and centered on CVE-2026-21962 and CVE-2026-24061.
The best quantity, 83%, comes from 193[.]24[.]123[.]42, hosted by PROSPERO OOO (AS200593), which Censys analysts marked as a bulletproof autonomous system used to focus on varied software program merchandise.
Supply: GreyNoise
A pointy spike occurred on February 8, with 269 recorded classes in a single day. The determine is sort of 13 occasions the each day common of twenty-two classes, GreyNoise famous.
Of the 417 exploitation classes, 354 (85%) used OAST-style DNS callbacks to confirm command execution functionality, pointing to preliminary entry dealer exercise.
Apparently, a number of printed indicators of compromise (IoCs) embrace IP addresses for Windscribe VPN (185[.]212[.]171[.]0/24) current in GreyNoise telemetry as scanning Oracle WebLogic cases, however no Ivanti exploitation exercise.
The researchers notice that the PROSPERO OOO IP deal with they noticed “shouldn’t be on extensively printed IOC lists, that means defenders blocking solely printed indicators are doubtless lacking the dominant exploitation supply.”
This IP shouldn’t be restricted to Ivanti concentrating on, because it concurrently exploited three extra vulnerabilities: CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU Inetutils Telnetd, and CVE-2025-24799 in GLPI.
The Oracle WebLogic flaw had the lion’s share in session volumes, dwarfing the remainder with 2,902 classes, adopted by the Telnetd problem with 497 classes.
Exploitation exercise seems absolutely automated, rotating between 300 consumer brokers.
Supply: GreyNoise
Ivanti’s fixes for CVE-2026-1281 and CVE-2026-1340 are usually not everlasting. The corporate promised to launch full patches within the first quarter of this yr, with the discharge of EPMM model 12.8.0.0.
Till then, it is suggested to make use of RPM packages 12.x.0.x for EPMM variations 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for EPMM variations 12.5.1.0 and 12.6.1.0.
The seller notes that probably the most conservative method is to construct a alternative EPMM occasion and migrate all knowledge there. Directions on how to try this are obtainable right here.
Fashionable IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, find out how your staff can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on prime of instruments you already use.
