A recent surge in remote code execution (RCE) attacks targeting Ivanti Endpoint Manager Mobile (EPMM) has drawn significant attention from security teams worldwide. Threat intelligence reveals that a single threat actor is responsible for over 83% of exploitation attempts against two critical vulnerabilities: CVE-2026-21962 and CVE-2026-24061.
These vulnerabilities, flagged as zero-day exploits, allow attackers to inject code without authentication, putting sensitive enterprise systems at risk. In this article, we explore:
- The threat actor behind these RCE attacks
- Exploitation trends and attack methods
- Real-world telemetry and session analysis
- Mitigation strategies and patch guidance
- Compliance and security best practices
Overview of the Vulnerabilities
CVE-2026-21962 & CVE-2026-24061
- Both vulnerabilities have a critical severity rating.
- They allow unauthenticated code injection, leading to remote code execution.
- Actively exploited in Ivanti’s security advisory; hotfixes have been released, but full patches are pending.
Impact: Any EPMM instance running vulnerable versions is at high risk of compromise, especially if exposed to the internet.
Who Is Behind the Attacks?
Security telemetry from GreyNoise, a threat-focused intelligence platform, identified that:
- 193.24.123.42, hosted by PROSPERO OOO (AS200593), is responsible for 83% of exploitation activity.
- This IP is hosted on bulletproof infrastructure, commonly used to evade takedowns.
- The threat actor appears to rotate user agents, fully automating attacks across multiple vulnerabilities.
Notably, this IP is not listed in widely published IoCs, meaning many defenses may miss the dominant exploitation source.
Exploitation Trends & Analysis
Session Volume
- From February 1–9, GreyNoise observed 417 exploitation sessions across 8 unique source IPs.
- February 8 saw a spike: 269 sessions in one day, nearly 13× the daily average.
- OAST-style DNS callbacks accounted for 85% of sessions, indicating initial access broker activity.
Multi-Target Activity
The threat actor is not limited to Ivanti:
- Oracle WebLogic CVE-2026-21962 – 2,902 sessions
- GNU Inetutils Telnetd CVE-2026-24061 – 497 sessions
- GLPI CVE-2025-24799 – lesser session volume
This multi-vulnerability targeting indicates a fully automated exploitation infrastructure.
Recommended Mitigation & Patch Guidance
Ivanti’s Hotfixes
- Immediate application of available hotfixes for CVE-2026-21962 & CVE-2026-24061 is critical.
- EPMM version 12.8.0.0 will provide permanent fixes in Q1.
Temporary Mitigations
- Use RPM packages 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x
- Use RPM packages 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0
- For maximum safety: build a replacement EPMM instance and migrate data
Monitoring & Detection
- Review appliances for signs of exploitation prior to patching
- Apply Ivanti’s Exploitation Detection script, developed with NCSC NL
- Leverage high-fidelity IoCs provided by Ivanti for proactive blocking
Ivanti emphasizes that applying the patch is the most effective way to prevent exploitation, regardless of IoC changes.
Threat Intelligence Insights
- The attack actor demonstrates high automation with hundreds of user agents and multi-target exploitation.
- Bulletproof infrastructure indicates resilient threat operations, often evading traditional defenses.
- Defenders relying solely on published IoCs may miss the primary source, highlighting the need for continuous monitoring and proactive threat hunting.
Best Practices for Organizations
- Patch Immediately – Apply all hotfixes and plan migration to fully patched versions.
- Monitor Logs – Look for abnormal DNS callbacks, unusual authentication, or code injection attempts.
- Isolate Critical Systems – Limit exposure of EPMM and other management consoles to the public internet.
- Use Threat Intelligence Feeds – Incorporate live telemetry to detect emerging attack sources.
- Conduct Regular Vulnerability Assessments – Automate scanning to catch misconfigurations or unpatched systems.
Conclusion
The recent Ivanti EPMM RCE attacks underline how a single threat actor can dominate exploitation activity, leveraging automation, bulletproof infrastructure, and multi-target strategies.
Organizations must apply hotfixes immediately, review IoCs, and monitor systems proactively. Combining patch management, threat intelligence, and operational vigilance is essential to defend against high-volume, automated attacks like these.
Staying ahead requires a holistic cybersecurity strategy—from endpoint hardening to real-time monitoring and rapid incident response.
