Ivanti EPMM Vulnerability Under Attack: Understanding the Threat Landscape

A recent surge in exploitation attempts targeting Ivanti Endpoint Manager Mobile (EPMM) has raised concerns among cybersecurity professionals. According to threat intelligence firm GreyNoise, a significant chunk of these attempts can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO.

Between February 1 and 9, 2026, GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses. An estimated 346 of these sessions, representing approximately 83% of the total, originated from a single IP address. This alarming statistic highlights the concentration of malicious activity and the potential for widespread exploitation.

Also Read: Nation-State Actors Unite: Google Exposes Coordinated Cyber Attacks on Defense Sector

Understanding the Exploitation Attempts

The exploitation attempts targeting Ivanti EPMM are linked to a newly disclosed security flaw in the platform. This vulnerability, if left unpatched, can provide attackers with an entry point to compromise vulnerable systems. The fact that a single IP address is responsible for the majority of exploitation attempts suggests a coordinated effort by malicious actors.

  • The use of bulletproof hosting infrastructure indicates a level of sophistication among the attackers, as these services are designed to provide anonymity and resilience to malicious activities.
  • The concentration of exploitation attempts from a single IP address may indicate a command and control (C2) server or a central node in a larger attack infrastructure.
  • The relatively short timeframe in which these exploitation attempts were observed underscores the rapid pace at which cyber threats evolve and the importance of timely patches and security updates.

Implications and Recommendations

The discovery of these exploitation attempts should serve as a wake-up call for organizations using Ivanti EPMM. It is crucial for these entities to take immediate action to secure their systems and protect against potential attacks. This includes applying patches for the disclosed vulnerability, monitoring network traffic for signs of exploitation, and implementing robust security measures to detect and respond to threats in real-time.

Also Read: Uncovering ZeroDayRAT: The Stealthy Mobile Spyware Threatening Android and iOS Devices

Furthermore, the involvement of bulletproof hosting infrastructure in these attacks highlights the need for enhanced collaboration between law enforcement, cybersecurity firms, and hosting providers to dismantle such malicious networks and prevent future attacks.

Building a secure digital future, one student at a time.

Kian Technologies