Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical Ivanti EPMM CVE-2023-35078 RCE Exploited by Single IP Address
CyberSecurity News

Critical Ivanti EPMM CVE-2023-35078 RCE Exploited by Single IP Address

Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2026-1281, in Ivanti Endpoint Manager Mobile (EPMM) is under active exploitation. The majority of observed attacks (83%)...

Sarah simpson
Sarah simpson
February 16, 2026 3 Min Read
66 0

Key Takeaways

  • A critical remote code execution (RCE) vulnerability, CVE-2026-1281, in Ivanti Endpoint Manager Mobile (EPMM) is under active exploitation.
  • The majority of observed attacks (83%) originate from a single “bulletproof” IP address (193[.]24[.]123[.]42), which was often missing from early indicators of compromise (IOCs).
  • Two critical flaws (CVE-2026-1281 and CVE-2026-1340), both with a CVSS score of 9.8, allow unauthenticated command execution.
  • Even patched systems may remain compromised if initial access was gained before remediation, due to the use of “sleeper” webshells.

Critical Ivanti EPMM Flaw Actively Exploited by Lone IP Address

A severe remote code execution (RCE) vulnerability within Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-1281, is currently being actively exploited by malicious actors. Threat intelligence gathered by GreyNoise reveals that a substantial 83% of all observed exploitation attempts originate from a singular IP address: 193[.]24[.]123[.]42.

Table Of Content

  • Key Takeaways
  • Critical Ivanti EPMM Flaw Actively Exploited by Lone IP Address
  • Two High-Severity Vulnerabilities Under Attack
  • Discrepancies in IOCs and Infrastructure Risks
  • What You Should Do

This specific IP address is registered to PROSPERO OOO (AS200593) and has been characterized as “bulletproof” hosting by Censys, suggesting a high degree of resilience against takedown attempts. Notably, this IP was conspicuously absent from many initial indicators of compromise (IOCs) distributed to cybersecurity defenders, potentially leading to incomplete threat detection.

Two High-Severity Vulnerabilities Under Attack

CVE-2026-1281, boasting a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary system commands. This is achieved by manipulating Bash arithmetic expansion within the backend file-delivery scripts of Ivanti EPMM.

A second critical flaw, CVE-2026-1340, also rated 9.8 on the CVSS scale, facilitates similar code execution capabilities within another component of the EPMM platform.

Ivanti issued an advisory regarding these vulnerabilities on January 29. Shortly thereafter, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its authoritative Known Exploited Vulnerabilities catalog. Subsequent reports from Dutch authorities confirmed breaches at the Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR), underscoring that exploitation was already underway before many organizations could apply necessary patches.

Between February 1 and February 9, GreyNoise documented 417 exploitation sessions originating from eight distinct IP addresses. On February 8 alone, 269 sessions were recorded, representing a thirteen-fold increase over the prior daily average.

The primary IP address, 193[.]24[.]123[.]42, has also been implicated in attacks targeting other platforms, including Oracle WebLogic Server, GNU Inetutils telnetd, and GLPI. The attacker employs a strategy of rotating hundreds of different user-agent strings, a common tactic indicative of automated, large-scale exploitation efforts.

Discrepancies in IOCs and Infrastructure Risks

Analysis revealed inconsistencies between some widely circulated IOCs and actual Ivanti exploitation data. For instance, while Windscribe VPN exit nodes on M247 infrastructure generated significant network traffic, none of it was directed at Ivanti EPMM.

Similarly, another IOC pointed to a residential router that exhibited only limited activity. Organizations that exclusively blocked these VPN or residential IPs, but failed to block AS200593, may have inadvertently overlooked the primary source of the threat.

Approximately 85% of the observed payloads utilized DNS callbacks to confirm successful code execution, rather than immediately deploying malware. This behavior aligns with tactics commonly employed by initial access brokers, who aim to establish a foothold before delivering more destructive payloads.

Further reports detail the deployment of “sleeper” webshells, specifically at the /mifs/403.jsp path. These webshells remain dormant until activated, implying that systems patched after an initial compromise could still harbor persistent threats if attackers gained access prior to remediation efforts.

What You Should Do

  • Immediately apply all available patches and updates from Ivanti for EPMM to address CVE-2026-1281 and CVE-2026-1340.
  • Scan your Ivanti EPMM instances for indicators of compromise (IOCs), particularly for the IP address 193[.]24[.]123[.]42 and the presence of “sleeper” webshells at /mifs/403.jsp.
  • Implement robust network segmentation to limit the blast radius in case of a successful compromise.
  • Review and update your firewall rules to block traffic from known malicious IPs and ASNs, including AS200593.
  • Conduct a thorough forensic investigation if any signs of compromise are detected, as initial access may have occurred before patching.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVECybersecurityExploitMalwarePatchSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Joomla Patches Critical SQL Injection and File Read Vulnerabilities CVE-2023-23752

Next Post

Noodlophile Malware Evolves with Fake Job Postings and Phishing Lures

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us