Single Threat Actor Responsible for Majority of Ivanti EPMM RCE Exploitation

Related

Hackers Exploit Critical Auth Bypass in Gitea Docker Image

What happened Hackers are actively exploiting a critical authentication bypass...

Zimbra Urges Customers to Patch Critical Web Client XSS Flaw

What happened Zimbra urged customers to patch a critical stored...

Progress Urges ShareFile Customers to Shut Down Servers Over Credible Threat

What happened Progress Software warned ShareFile customers using Storage Zone...

Ubiquiti Discloses 25 Security Flaws Across UniFi Ecosystem

What happened Ubiquiti disclosed 25 security vulnerabilities affecting products across...

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Share

What happened

Threat intelligence researchers have identified that a single threat actor is responsible for most active exploitation targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). According to telemetry from GreyNoise, more than 83% of exploitation attempts against vulnerabilities tracked as CVE-2026-21962 and CVE-2026-24061 originated from a single IP address hosted on bulletproof infrastructure.  These vulnerabilities allow unauthenticated attackers to inject code and achieve remote code execution on vulnerable systems.  Between February 1 and February 9, researchers observed 417 exploitation sessions, with the majority tied to infrastructure operated through the PROSPERO OOO autonomous system.  The activity included automated scanning and exploitation attempts using rotating user agents and DNS callbacks to verify successful command execution, indicating coordinated and systematic attack operations. 

Who is affected

Organizations running vulnerable versions of Ivanti Endpoint Manager Mobile (EPMM) are affected, particularly systems exposed to external networks that can be accessed and exploited remotely.

Why CISOs should care

The concentration of exploitation activity from a single threat actor highlights the speed at which centralized attackers can weaponize critical vulnerabilities, especially in enterprise device management platforms with broad administrative control.

3 practical actions

  • Apply Ivanti security updates immediately. Install vendor-provided hotfixes and patches to remediate CVE-2026-21962 and CVE-2026-24061.
  • Audit Ivanti EPMM deployments. Identify exposed systems and review logs for signs of exploitation activity.
  • Monitor threat infrastructure indicators. Track activity linked to bulletproof hosting providers and suspicious exploitation telemetry.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.