Source: The Hacker News

Ravie Lakshmanan

Feb 12 2026 – Vulnerability / Network Security

A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bullet‑proof hosting infrastructure offered by PROSPERO.

Threat‑intelligence firm GreyNoise reported that it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1–9, 2026. An estimated 346 sessions originated from 193.24.123[.]42, accounting for 83 % of all attempts.

The malicious activity is designed to exploit CVE‑2026‑1281 (CVSS 9.8), one of two critical vulnerabilities in EPMM, along with CVE‑2026‑1340 that could be leveraged for unauthenticated remote code execution. Late last month, Ivanti acknowledged it was aware of a “very limited number of customers” impacted by the zero‑day exploitation.

Since then, multiple European agencies—including the Netherlands’ Dutch Data Protection Authority (AP), the Council for the Judiciary, the European Commission, and Finland’s Valtori—have disclosed that they were targeted by unknown threat actors using these vulnerabilities.

Additional CVEs Exploited by the Same Host

• CVE‑2026‑21962 (Oracle WebLogic) – 2,902 sessions
• CVE‑2026‑24061 (GNU InetUtils telnetd) – 497 sessions
• CVE‑2025‑24799 (GLPI) – 200 sessions

“The IP rotates through 300+ unique user‑agent strings spanning Chrome, Firefox, Safari, and multiple OS variants,” GreyNoise said. “This fingerprint diversity, combined with concurrent exploitation of four unrelated software products, is consistent with automated tooling.”

It’s worth noting that PROSPERO is assessed to be linked to another autonomous system, Proton66, which has a history of distributing desktop and Android malware such as GootLoader, Matanbuchus, SpyNote, Coper (Octo), and SocGholish.

GreyNoise also pointed out that 85 % of the exploitation sessions beaconed home via DNS to confirm “this target is exploitable” without deploying any malware or exfiltrating data.

The disclosure comes days after Defused Cyber reported a “sleeper shell” campaign that deployed a dormant in‑memory Java class loader to compromised EPMM instances at the path /mifs/403.jsp. The company said the activity is indicative of initial‑access‑broker tradecraft, where threat actors establish a foothold to sell or hand off access later for financial gain.

“That pattern is significant,” GreyNoise noted. “OAST (out‑of‑band application security testing) callbacks indicate the campaign is cataloguing which targets are vulnerable rather than deploying payloads immediately. This is consistent with initial‑access operations that verify exploitability first and deploy follow‑on tooling later.”

Recommendations for Ivanti EPMM Users

1. Apply the patches for CVE‑2026‑1281 and CVE‑2026‑1340 immediately.
2. Audit internet‑facing Mobile Device Management (MDM) infrastructure for exposure.
3. Review DNS logs for OAST‑pattern callbacks.
4. Monitor for the /mifs/403.jsp path on EPMM instances.
5. Block PROSPERO’s autonomous system (AS200593) at the network perimeter.

“EPMM compromise provides access to device‑management infrastructure for entire organizations, creating a lateral‑movement platform that bypasses traditional network segmentation,” GreyNoise warned. “Organizations with internet‑facing MDM, VPN concentrators, or other remote‑access infrastructure should operate with heightened vigilance.”

under the assumption that critical vulnerabilities face exploitation within hours of disclosure.

Found this article interesting? Follow us on [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ), [Twitter](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.