Full Report
A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. An estimated 346
Analysis Summary
# Incident Report: Mass Exploitation of Ivanti EPMM RCE Flaws
## Executive Summary
Between February 1 and 9, 2026, threat actors aggressively targeted a newly disclosed RCE vulnerability (CVE-2026-1281) in Ivanti Endpoint Manager Mobile (EPMM). Exploitation was overwhelmingly traced to a single IP address (193.24.123[.]42) hosted on PROSPERO bulletproof infrastructure, accounting for 83% of observed attempts. The activity focused heavily on reconnaissance (OAST callbacks), suggesting initial access paving for credentialed sales or later stage attacks, though some evidence points to dormant shell deployment.
## Incident Details
- **Discovery Date:** February 1, 2026 (Start of recorded exploitation activity by GreyNoise)
- **Incident Date:** February 1 to February 9, 2026
- **Affected Organization:** Ivanti EPMM users; specific organizations publicly disclosed as targeted include Dutch Data Protection Authority (AP), Council for the Judiciary, European Commission, and Finland's Valtori.
- **Sector:** Unspecified (Targeting a Mobile Device Management/Endpoint security solution)
- **Geography:** Global (Targeting internet-facing MDM infrastructure)
## Timeline of Events
### Initial Access
- **Date/Time:** Starting February 1, 2026
- **Vector:** Exploitation of critical, unauthenticated Remote Code Execution (RCE) vulnerability, **CVE-2026-1281** (CVSS 9.8).
- **Details:** 417 total exploitation sessions observed from 8 unique IPs affiliated with PROSPERO AS200593. The primary source IP (193.24.123[.]42) initiated 346 sessions (83%). The attackers utilized automated tooling, evidenced by rotating user agents (300+ variants).
### Lateral Movement
- **Details:** Post-exploitation activity indicated an attempt to establish persistence, including the deployment of a "sleeper shell" (dormant in-memory Java class loader) found at the path `/mifs/403.jsp` on compromised EPMM instances. Compromise of EPMM is noted to provide a lateral movement platform bypassing network segmentation.
### Data Exfiltration/Impact
- **Details:** The majority of high-volume scanning (85% of sessions) involved Out-of-Band Application Security Testing (OAST) callbacks used only to confirm exploitability and catalog vulnerable targets, rather than immediate malware deployment or data exfiltration. However, the presence of sleeper shells suggests intent to sell access later.
### Detection & Response
- **Detection:** Threat intelligence firm GreyNoise detected and characterized the mass scanning activity. Defused Cyber reported the specific "sleeper shell" deployment pattern.
- **Response Actions:** Ivanti acknowledged a "very limited number of customers" were impacted. Organizations were advised to apply patches, audit MDM infrastructure, review DNS logs for OAST patterns, and monitor for the `/mifs/403.jsp` path.
## Attack Methodology
- **Initial Access:** Unauthenticated Remote Code Execution via **CVE-2026-1281** in Ivanti EPMM.
- **Persistence:** Deployment of a dormant, in-memory Java class loader (sleeper shell) at `/mifs/403.jsp`.
- **Privilege Escalation:** N/A (Initial access achieved RCE).
- **Defense Evasion:** Use of 300+ unique user agent strings to disguise automated activity.
- **Credential Access:** Not explicitly detailed, but implied if persistence was established for later sale.
- **Discovery:** Heavy use of OAST callbacks (85% of sessions) confirmed target responsiveness/exploitability without dropping full binaries.
- **Lateral Movement:** EPMM compromise grants access to device management infrastructure, serving as a platform for broader access.
- **Collection:** Cataloging vulnerable targets. Potential for future collection based on established sleeper shells.
- **Exfiltration:** Minimal immediate exfiltration observed; activity focused on validation.
- **Impact:** Potential deep compromise of organization MDM infrastructure.
## Impact Assessment
- **Financial:** Not quantified, but high potential due to the nature of MDM compromise.
- **Data Breach:** Scope unknown, but access to device management infrastructure implies potential access to sensitive metadata or security policies for managed devices.
- **Operational:** High risk. Compromise of MDM creates a platform for systemic disruption of mobile fleet management.
- **Reputational:** Several European government agencies disclosed being targeted, leading to reputational damage for affected institutions.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Source IP: 193.24.123[.]42
- Attacker Autonomous System: AS200593 (Associated with PROSPERO)
- Concurrent exploitation targeting CVE-2026-21962 (Oracle WebLogic), CVE-2026-24061 (GNU InetUtils telnetd), and CVE-2025-24799 (GLPI).
- **File Indicators:**
- Path artifact: `/mifs/403.jsp` (associated with sleeper shell deployment)
- **Behavioral Indicators:**
- High volume of OAST activity beaconing via DNS to confirm exploitability.
- Rapid rotation of User Agent strings (300+ variants).
## Response Actions
- **Containment:** Apply Ivanti patches immediately. Block attacker AS200593 at network perimeters. Organizations with internet-facing MDM should assume compromise.
- **Eradication:** Audit internet-facing MDM infrastructure. Scan for the presence of the `/mifs/403.jsp` path artifact.
- **Recovery:** Restore configurations after patching and verification.
## Lessons Learned
- **Speed of Exploitation:** Critical vulnerabilities face exploitation attempts within hours of disclosure, necessitating immediate patching for internet-facing services.
- **Hosting Integrity:** Threat actors are effectively leveraging bulletproof hosting infrastructure (PROSPERO) known to host prior malware operations.
- **Reconnaissance Tactics:** Threat actors prioritize reconnaissance (OAST) to validate access before deploying large-scale payloads, indicating organized access broker tradecraft.
## Recommendations
- Immediately patch all instances vulnerable to CVE-2026-1281 and CVE-2026-1340.
- Implement strict network segmentation for high-value management infrastructure like MDM servers.
- Proactively hunt for OAST callbacks and known sleeper shell artifacts across infrastructure logs, especially DNS and web server access logs.
- Network-level blocking of threat actor infrastructure (e.g., AS200593); however, recognizing that the primary source IP rotates or changes hosting rapidly.