February 14, 2026

Clandestine IP Group Behind Widespread Attacks Exploiting Ivanti EPMM Vulnerabilities

Vaibhav February 13, 2026
data-26
Post Views: 30

Single IP Address Identified as Primary Source of Attacks on Ivanti Endpoint Manager Mobile Software

A single IP address, 193.24.123[.]42, has been identified as the primary source of attacks exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile software.

Exploitation of Vulnerabilities

According to a recent report, this IP address is responsible for 83% of attempted attacks leveraging CVE-2026-1281 and CVE-2026-1340 between February 1 and February 9.

The IP address in question is hosted on PROSPERO’s bulletproof hosting infrastructure and has also been linked to the exploitation of several other vulnerabilities, including the Oracle WebLogic bug (CVE-2026-21962), the GNU InetUtils telnetd bug (CVE-2026-24061), and the GLPI issue (CVE-2025-24799).

Use of Automated Tooling

Researchers at GreyNoise observed that the IP address rotated through over 300 unique user agent strings, indicating the use of automated tooling.

Targeting of Government Agencies

The exploitation of Ivanti EPMM vulnerabilities has been particularly concerning, as several government agencies across Europe have been targeted.

Defused Cyber researchers discovered that vulnerable instances of Ivanti EPMM had been compromised with a dormant in-memory Java class loader through the “/mifs/403.jsp” path. The researchers noted that the attackers appeared to be cataloging vulnerable targets rather than immediately deploying payloads, as indicated by out-of-band application security testing (OAST) callbacks.

Related News

In related news, a recent report by Censys found that over 190,000 web properties were vulnerable to a critical flaw in BeyondTrust’s Remote Support and Privileged Remote Access offerings.

Importance of Proactive Security Measures

The discovery of these vulnerabilities and the subsequent exploitation by malicious actors underscores the importance of proactive security measures, including vulnerability management and exposure management.

As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and adapt their security strategies to mitigate emerging threats.



About Author

Vaibhav

See author's posts

More Stories

Notepad-Critical-Code-Execution-Flaw-Exposes-Users-to-Hackers-CISA-Warns-of-Active-Exploitationdata

Notepad++ Critical Code Execution Flaw Exposes Users to Hackers, CISA Warns of Active Exploitation

Vaibhav February 14, 2026
Alwar-Blocks-1.90-Lakh-SIMs-in-Major-Cyber-Fraud-Crackdown-Operationdata

Alwar Blocks 1.90 Lakh SIMs in Major Cyber Fraud Crackdown Operation

Vaibhav February 14, 2026
Over-300-Malicious-Chrome-Extensions-Caught-Leaking-or-Stealing-User-Data-A-Security-Threat-to-Millionsdata-1

Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data: A Security Threat to Millions

Vaibhav February 14, 2026

You may have missed

Odido-Reports-Major-Data-Breach-Affecting-Lakhs-of-Usersdata

Odido Reports Major Data Breach Affecting Lakhs of Users

Vaibhav February 14, 2026
Notepad-Critical-Code-Execution-Flaw-Exposes-Users-to-Hackers-CISA-Warns-of-Active-Exploitationdata

Notepad++ Critical Code Execution Flaw Exposes Users to Hackers, CISA Warns of Active Exploitation

Vaibhav February 14, 2026
phishnext-launched-by-crawsecurity

PhishNext Launched by Craw Security: A Next‑Gen Phishing Simulation Service

daksh kataria February 14, 2026
Alwar-Blocks-1.90-Lakh-SIMs-in-Major-Cyber-Fraud-Crackdown-Operationdata

Alwar Blocks 1.90 Lakh SIMs in Major Cyber Fraud Crackdown Operation

Vaibhav February 14, 2026
Over-300-Malicious-Chrome-Extensions-Caught-Leaking-or-Stealing-User-Data-A-Security-Threat-to-Millionsdata-1

Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data: A Security Threat to Millions

Vaibhav February 14, 2026
en_USEnglish
en_USEnglish