Ivanti EPMM Exploitation: Single Bulletproof IP Driving Attacks While IOC Lists Mislead

The cybersecurity community is facing a stark reminder of how fast attackers move and how fragile IOC‑based defenses can be. In February 2026, GreyNoise observed active exploitation of Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities. Shockingly, 83% of attacks came from one bulletproof IP address—yet this IP was missing from widely circulated IOC lists. Instead, defenders were blocking VPN exit nodes and compromised residential routers that showed no Ivanti activity.

This blog dives into the technical details, exploitation timeline, and why organizations must rethink their reliance on IOCs for defense.

The Vulnerabilities

Two critical Ivanti EPMM flaws were disclosed on January 29, 2026:

• CVE‑2026‑1281 (CVSS 9.8): An unauthenticated remote code execution vulnerability exploiting Bash arithmetic expansion in EPMM’s file delivery mechanism.
• CVE‑2026‑1340 (CVSS 9.8): A related code injection flaw in another EPMM component.

That same day:

• Ivanti published its advisory.
• CISA added CVE‑2026‑1281 to the Known Exploited Vulnerabilities catalog with a three‑day remediation deadline.
• Dutch authorities confirmed compromise of government systems.
• Proof‑of‑concept code appeared on GitHub.

By the time most organizations saw the advisory, exploitation was already underway.

The Observations

Between February 1–9, It was recorded with 417 exploitation sessions from 8 IPs. One IP dominated:

• 193[.]24[.]123[.]42 (AS200593, PROSPERO OOO): 346 sessions (83%), hosted on bulletproof infrastructure.
• Other IPs: 71 sessions combined, spread across Netherlands, US, and Hong Kong.

On February 8, activity spiked to 269 sessions in a single day—13× the prior daily average.

Multi‑CVE Exploitation

The dominant IP was not Ivanti‑specific. It simultaneously exploited multiple CVEs:

This breadth of exploitation, combined with rotating user agents, indicates automated tooling rather than manual attacks.

IOC Misalignment

Widely shared IOCs pointed elsewhere:

• Windscribe VPN exit nodes: 29,588 sessions in 30 days, 99% targeting Oracle WebLogic, zero Ivanti exploitation.
• Compromised residential router in Sweden: No GreyNoise sessions, suggesting targeted use only.

Defenders blocking only these IOCs risked missing the true exploitation source.

Tradecraft: Initial Access Broker Behavior

It was found 85% of payloads used DNS callbacks (OAST) to verify exploitability without deploying malware. Defused Cyber corroborated with reports of sleeper shells at /mifs/403.jsp, consistent with initial access broker tradecraft: catalog vulnerable systems, establish footholds, and monetize later.

Strategic Implications

• IOC confidence problem: Shared VPN IPs carry high false‑positive risk; bulletproof hosting IPs show concentrated malicious activity.
• Compressed exploitation timeline: Same‑day disclosure, government compromise, and proof‑of‑concept release left no buffer for weekend patch cycles.
• MDM platforms as critical infrastructure: Compromise of EPMM provides organization‑wide device management access, akin to domain controllers.