Threat intelligence firm GreyNoise says it observed concentrated exploitation activity against two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—suggesting one dominant actor is doing most of the scanning and exploitation.

## The vulnerabilities

- Two critical Ivanti EPMM issues are being exploited in the wild (per vendor advisories and hotfix announcements).

- They allow **unauthenticated code injection leading to remote code execution (RCE)**.

## What GreyNoise observed

Between Feb 1–9, GreyNoise reports:

- **417** exploitation sessions from **8** unique source IPs

- **83%** of activity attributed to a single IP (`193.24.123.42`) hosted by **PROSPERO OOO (AS200593)**, described as a “bulletproof” autonomous system

- A major spike on Feb 8 with **269 sessions** in a single day

- **85%** of sessions used **OAST-style DNS callbacks** to validate command execution, consistent with “prove access” behavior often seen in initial access broker workflows

GreyNoise also notes the dominant IP was not present on widely circulated indicator lists, meaning defenders relying only on published IoCs may miss a large portion of the observed activity.

## Why it matters

High-volume automated exploitation of edge/admin systems is often a race condition: attackers need only a short window between disclosure/hotfix availability and patch adoption.

## What to do

- Apply Ivanti hotfixes and track for full patch releases.

- If you cannot patch immediately, consider network segmentation, temporary access restrictions, and monitoring for unusual callback/DNS verification behavior.

- Don’t rely solely on “popular IoC lists”—telemetry-driven controls (rate limiting, WAF rules, anomaly detection) matter.

Source: BleepingComputer (citing GreyNoise research).