Menace intelligence observations present {that a} single risk actor is chargeable for a lot of the energetic exploitation of two essential vulnerabilities in Ivanti Endpoint Supervisor Cellular (EPMM), tracked as CVE-2026-21962 and CVE-2026-24061.
The security points have been flagged as actively exploited in zero-day assaults in Ivanti’s security advisory, the place the corporate additionally introduced hotfixes.
Each flaws acquired a essential severity ranking and permit an attacker to inject code with out authentication, resulting in distant code execution (RCE) on weak methods.
A single IP deal with hosted on bulletproof infrastructure is chargeable for over 83% of exploitation exercise associated to the 2 vulnerabilities, says threat-focused web intelligence firm GreyNoise.
Between February 1st and ninth, the monitoring platform noticed 417 exploitation periods originating from 8 distinctive supply IP addresses, and centered on CVE-2026-21962 and CVE-2026-24061.
The very best quantity, 83%, comes from 193[.]24[.]123[.]42, hosted by PROSPERO OOO (AS200593), which Censys analysts marked as a bulletproof autonomous system used to focus on varied software program merchandise.
Supply: GreyNoise
A pointy spike occurred on February 8, with 269 recorded periods in a single day. The determine is nearly 13 instances the each day common of twenty-two periods, GreyNoise famous.
Of the 417 exploitation periods, 354 (85%) used OAST-style DNS callbacks to confirm command execution functionality, pointing to preliminary entry dealer exercise.
Curiously, a number of printed indicators of compromise (IoCs) embody IP addresses for Windscribe VPN (185[.]212[.]171[.]0/24) current in GreyNoise telemetry as scanning Oracle WebLogic situations, however no Ivanti exploitation exercise.
The researchers observe that the PROSPERO OOO IP deal with they noticed “shouldn’t be on broadly printed IOC lists, that means defenders blocking solely printed indicators are probably lacking the dominant exploitation supply.”
This IP shouldn’t be restricted to Ivanti focusing on, because it concurrently exploited three extra vulnerabilities: CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU Inetutils Telnetd, and CVE-2025-24799 in GLPI.
The Oracle WebLogic flaw had the lion’s share in session volumes, dwarfing the remainder with 2,902 periods, adopted by the Telnetd challenge with 497 periods.
Exploitation exercise seems absolutely automated, rotating between 300 consumer brokers.
Supply: GreyNoise
Ivanti’s fixes for CVE-2026-1281 and CVE-2026-1340 aren’t everlasting. The corporate promised to launch full patches within the first quarter of this yr, with the discharge of EPMM model 12.8.0.0.
Till then, it is strongly recommended to make use of RPM packages 12.x.0.x for EPMM variations 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for EPMM variations 12.5.1.0 and 12.6.1.0.
The seller notes that essentially the most conservative strategy is to construct a alternative EPMM occasion and migrate all information there. Directions on how to try this can be found right here.
Trendy IT infrastructure strikes quicker than guide workflows can deal with.
On this new Tines information, learn the way your group can scale back hidden guide delays, enhance reliability via automated response, and construct and scale clever workflows on high of instruments you already use.
