Critical Ivanti EPMM CVE-2023-35078 RCE Exploited by Single IP Address
Key Takeaways A critical remote code execution (RCE) vulnerability, CVE-2026-1281, in Ivanti Endpoint Manager Mobile (EPMM) is under active exploitation. The majority of observed attacks (83%)...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, CVE-2026-1281, in Ivanti Endpoint Manager Mobile (EPMM) is under active exploitation.
- The majority of observed attacks (83%) originate from a single “bulletproof” IP address (193[.]24[.]123[.]42), which was often missing from early indicators of compromise (IOCs).
- Two critical flaws (CVE-2026-1281 and CVE-2026-1340), both with a CVSS score of 9.8, allow unauthenticated command execution.
- Even patched systems may remain compromised if initial access was gained before remediation, due to the use of “sleeper” webshells.
Critical Ivanti EPMM Flaw Actively Exploited by Lone IP Address
A severe remote code execution (RCE) vulnerability within Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2026-1281, is currently being actively exploited by malicious actors. Threat intelligence gathered by GreyNoise reveals that a substantial 83% of all observed exploitation attempts originate from a singular IP address: 193[.]24[.]123[.]42.
Table Of Content
This specific IP address is registered to PROSPERO OOO (AS200593) and has been characterized as “bulletproof” hosting by Censys, suggesting a high degree of resilience against takedown attempts. Notably, this IP was conspicuously absent from many initial indicators of compromise (IOCs) distributed to cybersecurity defenders, potentially leading to incomplete threat detection.
Two High-Severity Vulnerabilities Under Attack
CVE-2026-1281, boasting a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary system commands. This is achieved by manipulating Bash arithmetic expansion within the backend file-delivery scripts of Ivanti EPMM.
A second critical flaw, CVE-2026-1340, also rated 9.8 on the CVSS scale, facilitates similar code execution capabilities within another component of the EPMM platform.
Ivanti issued an advisory regarding these vulnerabilities on January 29. Shortly thereafter, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-1281 to its authoritative Known Exploited Vulnerabilities catalog. Subsequent reports from Dutch authorities confirmed breaches at the Dutch Data Protection Authority (AP) and the Council for the Judiciary (RVDR), underscoring that exploitation was already underway before many organizations could apply necessary patches.
Between February 1 and February 9, GreyNoise documented 417 exploitation sessions originating from eight distinct IP addresses. On February 8 alone, 269 sessions were recorded, representing a thirteen-fold increase over the prior daily average.
The primary IP address, 193[.]24[.]123[.]42, has also been implicated in attacks targeting other platforms, including Oracle WebLogic Server, GNU Inetutils telnetd, and GLPI. The attacker employs a strategy of rotating hundreds of different user-agent strings, a common tactic indicative of automated, large-scale exploitation efforts.
Discrepancies in IOCs and Infrastructure Risks
Analysis revealed inconsistencies between some widely circulated IOCs and actual Ivanti exploitation data. For instance, while Windscribe VPN exit nodes on M247 infrastructure generated significant network traffic, none of it was directed at Ivanti EPMM.
Similarly, another IOC pointed to a residential router that exhibited only limited activity. Organizations that exclusively blocked these VPN or residential IPs, but failed to block AS200593, may have inadvertently overlooked the primary source of the threat.
Approximately 85% of the observed payloads utilized DNS callbacks to confirm successful code execution, rather than immediately deploying malware. This behavior aligns with tactics commonly employed by initial access brokers, who aim to establish a foothold before delivering more destructive payloads.
Further reports detail the deployment of “sleeper” webshells, specifically at the /mifs/403.jsp path. These webshells remain dormant until activated, implying that systems patched after an initial compromise could still harbor persistent threats if attackers gained access prior to remediation efforts.
What You Should Do
- Immediately apply all available patches and updates from Ivanti for EPMM to address CVE-2026-1281 and CVE-2026-1340.
- Scan your Ivanti EPMM instances for indicators of compromise (IOCs), particularly for the IP address 193[.]24[.]123[.]42 and the presence of “sleeper” webshells at /mifs/403.jsp.
- Implement robust network segmentation to limit the blast radius in case of a successful compromise.
- Review and update your firewall rules to block traffic from known malicious IPs and ASNs, including AS200593.
- Conduct a thorough forensic investigation if any signs of compromise are detected, as initial access may have occurred before patching.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.