What happened
Threat intelligence researchers have identified that a single threat actor is responsible for most active exploitation targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). According to telemetry from GreyNoise, more than 83% of exploitation attempts against vulnerabilities tracked as CVE-2026-21962 and CVE-2026-24061 originated from a single IP address hosted on bulletproof infrastructure. These vulnerabilities allow unauthenticated attackers to inject code and achieve remote code execution on vulnerable systems. Between February 1 and February 9, researchers observed 417 exploitation sessions, with the majority tied to infrastructure operated through the PROSPERO OOO autonomous system. The activity included automated scanning and exploitation attempts using rotating user agents and DNS callbacks to verify successful command execution, indicating coordinated and systematic attack operations.Â
Who is affected
Organizations running vulnerable versions of Ivanti Endpoint Manager Mobile (EPMM) are affected, particularly systems exposed to external networks that can be accessed and exploited remotely.
Why CISOs should care
The concentration of exploitation activity from a single threat actor highlights the speed at which centralized attackers can weaponize critical vulnerabilities, especially in enterprise device management platforms with broad administrative control.
3 practical actions
- Apply Ivanti security updates immediately. Install vendor-provided hotfixes and patches to remediate CVE-2026-21962 and CVE-2026-24061.
- Audit Ivanti EPMM deployments. Identify exposed systems and review logs for signs of exploitation activity.
- Monitor threat infrastructure indicators. Track activity linked to bulletproof hosting providers and suspicious exploitation telemetry.