GreyNoise says it observed a concentrated wave of exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM), with one source standing out.

## What happened

- Two critical Ivanti EPMM issues were actively exploited, enabling unauthenticated code injection leading to remote code execution.

- GreyNoise reported 417 exploitation sessions over Feb 1–9, 2026, coming from 8 unique IPs.

- One IP address (193.24.123.42), hosted in infrastructure described as “bulletproof,” represented ~83% of the observed activity.

## Why it matters

Concentrated exploitation from a small set of sources suggests automation at scale and a potentially centralized operator. GreyNoise also noted heavy use of OAST/DNS-callback style verification—behavior commonly associated with attackers confirming execution and harvesting vulnerable hosts for later monetization or resale.

## Key details defenders should note

- A spike on Feb 8 drove a large portion of the sessions.

- Many sessions used callback validation techniques (DNS/OAST).

- The same infrastructure was observed probing/exploiting other products and CVEs in parallel, indicating broad scanning rather than a single-product campaign.

## What to do

- Apply Ivanti hotfixes/updates immediately and monitor for follow-on compromise.

- Don’t rely exclusively on public IOC lists; incorporate behavioral detections (unexpected callbacks, exploit chains, anomalous EPMM traffic).

- Review exposed EPMM instances and consider rebuilding/migrating if the vendor recommends it for your risk posture.