Ivanti EPMM exposed to Internet under automated attack from PROSPERO infrastructure

The alarms in the cybersecurity world were recently lit around a critical weakness in Ivanti Endpoint Manager Mobile (EPMM). Researchers of the GreyNoise network intelligence firm detected hundreds of exploitative attempts aimed at this failure, and the striking was not just the amount, but the concentration: most of the malicious activity came from a single IP address housed in a bulletproof-type infrastructure associated with PROSPERO. That one actor or one platform coordinates most attacks speaks of large-scale automation and highly developed recognition strategies. More technical details and initial figures were published by GreyNoise in his analysis of the active exploitation of Ivanti: https: / / www.greynoise.io / blog / active-ivanti-exploitation.

The vulnerabilities in question allow, at worst, the remote execution of code without authentication, which increases its danger. One of them, identified as CVE-2026-1281, received a very high CVSS score (9.8), and it has been observed that the attackers test these failures immediately after their public disclosure. In environments where mobile device management (MDM) is exposed to the Internet, a gap in the management system can become a gateway to compromise the entire corporate infrastructure.

The activity pattern described by GreyNoise was not limited to only Ivanti: the same IP that showed a large volume of attempts against EPMM was simultaneously exploiting other vulnerabilities in unrelated products. These include failures in Oracle WebLogic, the GNU InetUtils telnet demon and GLPI, the latter publicly referenced in the NIST vulnerability database: CVE-2025-24799. The simultaneous operation of multiple products is typical of automated tools that sweep the Internet in search of vulnerable objectives.

Another relevant data is the attacker's footprint diversity: GreyNoise recorded rotations by more than 300 user agent chains emulating different browsers and operating systems. This signature mosaic helps to camouflage the activity and to draw simple detection rules. In addition, approximately 85% of the sessions followed a check pattern through DNS consultations to check if the target was exploitable - without initially deploying malware or extracting information - a survey technique that reduces the attacker's exposure and allows him to catalogue targets that are susceptible to future access.

This method fits what in the industry is known as the "initial access brokers" tradecraft: actors who seek initial access to networks and then sell it or transfer it to other groups with extortion, espionage or the deployment of malicious charges. In recent days, Defused Cyber reported on a campaign that left a "sleeper shell" - a Java charger in memory - in committed EPMM instances, hosted on the route "/ mifs / 403.jsp." This way of leaving a back door inactive until its later reactivation is precisely consistent with initial access operations intended to be monetized later.

The IP association noted with a network that is evaluated as belonging to PROSPERO, and the connection that some analysts draw to another autonomous system with history in the distribution of different types of malware, underlines the continuity between "resilient" infrastructure for attacks and organized criminal activity. Although mere belonging to an infrastructure does not prove the individual authorship of attacks, it does provide important operational context for defenders and response teams.

What should the security officials who use Ivanti EPMM do? The priority is to apply the patches published by the manufacturer and review any instances of EPMM exposed to the Internet. Ivanti maintains a space with its security notices and updates, where official recommendations and available patches should be consulted: https: / / www.ivanti.com / support / security-advices. In addition to the immediate parking, it is essential to audit the external surface, look for unusual access traces and analyze DNS records to identify callbacks that match the check patterns (out-of-band application security testing).

Another reasonable defensive measure is to check whether the route / mifs / 403.jsp or any other persistent load signal in memory appears in the EPMM instances, and to block in the network perimeter the autonomous system attributed to PROSPERO (AS200593) where possible. These actions do not guarantee total immunity, but significantly increase the cost for an attacker who tries to exploit the device management infrastructure.

The consequences of a committed EPMM are serious because they allow an attacker to manipulate the management of mobile and endpoints of an entire organization, which opens up internal paths that can overcome the traditional segmentation of networks. That is why security teams must act on the premise that critical vulnerabilities are likely to be exploited within hours of their publication, and design response and mitigation processes that are in line with that speed.

Beyond patches and blockages, this incident should be used as a reminder of wider practices: limiting public exposure of management tools, rigorously segmenting remote access, strengthening DNS traffic monitoring and applying behavior-based detections that do not depend solely on static signatures. The security of device management is a pillar of corporate resilience; such a link fails to affect users, data and operational continuity.

The episode also raises a reflection on the economy of cybercrime: the preference for infrastructure that tolerates abuse, the use of mass scanning to catalogue victims and the memory of back doors indicate that many attackers are not looking for an immediate impact but for a portfolio of access that can be monetized over time. For organizations, the response must be equally patient and methodical: to patch, investigate, harden and, where appropriate, share findings with authorities and the community to reduce the radius of action of these operators.

If you manage EPMM or administer MDM exposed to the Internet, prioritize evaluation and mediation right now. Evidence suggests that the operation is fast and that the attackers have automated tools that test multiple vectors at the same time. Keep informed through the supplier's official notices and network intelligence analysis such as that published by GreyNoise, and consider establishing additional controls to detect and contain suspicious activity.