February 14, 2026

Ivanti RCE Attacks: 83% Linked to Notorious Threat Actor

Vaibhav February 14, 2026
Ivanti-RCE-Attacks-83-Linked-to-Notorious-Threat-Actordata
Post Views: 1

Single Threat Actor Behind Majority of Ivanti Endpoint Manager Mobile Attacks

A single threat actor is responsible for the vast majority of recent attacks exploiting two critical vulnerabilities in Ivanti Endpoint Manager Mobile, with a staggering 83% of exploitation activity linked to a single IP address.

Vulnerabilities and Exploitation Activity

The vulnerabilities, tracked as CVE-2026-21962 and CVE-2026-24061, have been actively exploited in zero-day attacks, allowing attackers to inject code without authentication and execute remote code on vulnerable systems.

According to threat intelligence observations, the IP address 193.24.123.42, hosted on bulletproof infrastructure, is the primary source of the exploitation activity.

Between February 1st and 9th, GreyNoise, a threat-focused internet intelligence company, monitored 417 exploitation sessions originating from eight unique source IP addresses, with the majority targeting CVE-2026-21962 and CVE-2026-24061.

Exploitation Activity Spikes

The exploitation activity spiked on February 8, with 269 recorded sessions in a single day, nearly 13 times the daily average of 22 sessions.

Notably, 85% of the exploitation sessions used OAST-style DNS callbacks to verify command execution capability, indicating initial access broker activity.

Concerns and Recommendations

GreyNoise researchers noted that the IP address 193.24.123.42 is not on widely published indicators of compromise (IoC) lists, which means defenders relying solely on these lists may be missing the dominant exploitation source.

Furthermore, this IP address is not limited to Ivanti targeting, as it has also exploited three other vulnerabilities: CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU Inetutils Telnetd, and CVE-2025-24799 in GLPI.

The exploitation activity appears to be fully automated, rotating between 300 user agents.

Ivanti has released hotfixes for the vulnerabilities, but the fixes are not permanent.

The company plans to release complete patches in the first quarter of this year with the release of EPMM version 12.8.0.0.

In the meantime, the vendor recommends building a replacement EPMM instance and migrating all data to it.

Conclusion

The exploitation of these vulnerabilities highlights the importance of proactive measures to prevent and detect such attacks.

Organizations should prioritize patching vulnerable systems and monitoring for suspicious activity to minimize the risk of compromise.



About Author

Vaibhav

See author's posts

More Stories

Crypto-Wallet-Scammers-Target-Trezor-and-Ledger-Users-via-Snail-Maildata

Crypto Wallet Scammers Target Trezor and Ledger Users via Snail Mail

Vaibhav February 14, 2026
Notepad-Critical-Code-Execution-Flaw-Exposes-Users-to-Hackers-CISA-Warns-of-Active-Exploitationdata

Notepad++ Critical Code Execution Flaw Exposes Users to Hackers, CISA Warns of Active Exploitation

Vaibhav February 14, 2026
Alwar-Blocks-1.90-Lakh-SIMs-in-Major-Cyber-Fraud-Crackdown-Operationdata

Alwar Blocks 1.90 Lakh SIMs in Major Cyber Fraud Crackdown Operation

Vaibhav February 14, 2026

You may have missed

Ivanti-RCE-Attacks-83-Linked-to-Notorious-Threat-Actordata

Ivanti RCE Attacks: 83% Linked to Notorious Threat Actor

Vaibhav February 14, 2026
Crypto-Wallet-Scammers-Target-Trezor-and-Ledger-Users-via-Snail-Maildata

Crypto Wallet Scammers Target Trezor and Ledger Users via Snail Mail

Vaibhav February 14, 2026
Odido-Reports-Major-Data-Breach-Affecting-Lakhs-of-Usersdata

Odido Reports Major Data Breach Affecting Lakhs of Users

Vaibhav February 14, 2026
Notepad-Critical-Code-Execution-Flaw-Exposes-Users-to-Hackers-CISA-Warns-of-Active-Exploitationdata

Notepad++ Critical Code Execution Flaw Exposes Users to Hackers, CISA Warns of Active Exploitation

Vaibhav February 14, 2026
phishnext-launched-by-crawsecurity

PhishNext Launched by Craw Security: A Next‑Gen Phishing Simulation Service

daksh kataria February 14, 2026
en_USEnglish
en_USEnglish