ACCORDING to GreyNoise, a large portion of exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM) were traced to a single bulletproof hosting IP address operated by PROSPERO, with 417 exploitation sessions from 8 unique source IP addresses recorded between 1 and 9 February 2026. An estimated 346 exploitation sessions originated from 193.24.123[.]42, accounting for 83% of all attempts.
The campaigns targeted CVE-2026-1281 (CVSS 9.8) and CVE-2026-1340, two critical EPMM remote code execution flaws Ivanti acknowledged were being exploited after a zero-day. Additional analysis found the same host exploiting three other CVEs across unrelated software, including CVE-2026-21962 (Oracle WebLogic) with 2,902 sessions, CVE-2026-24061 (GNU InetUtils telnetd) with 497 sessions, and CVE-2025-24799 (GLPI) with 200 sessions.
GreyNoise noted the IP rotates through 300+ unique user agent strings and that the activity appeared automated, with fingerprint diversity and concurrent exploitation across multiple products. Ivanti said there was a "very limited number of customers" impacted by the zero-day exploitation, and urged patches, DNS and network monitoring, and blocking PROSPERO’s AS200593 at the perimeter.