Summary

The article discusses a significant security issue involving Ivanti Endpoint Manager Mobile (EPMM), where 83% of exploitation attempts are traced back to a single IP address. This IP is part of a bulletproof hosting infrastructure provided by PROSPERO.

Key Points

• 83% of Ivanti EPMM exploitation attempts are linked to one IP address.
• The incidents were recorded by GreyNoise between February 1 and 9, 2026.
• A total of 417 exploitation sessions were noted from 8 unique IP addresses.
• 346 of these sessions were traced back to the single IP address on PROSPERO's infrastructure.
• The issue involves a newly disclosed security flaw in Ivanti EPMM.

Analysis

This situation highlights the risks associated with bulletproof hosting services, which can be exploited for malicious activities. The concentration of exploits from a single IP suggests a coordinated attack, emphasizing the need for robust monitoring and response strategies. The involvement of a newly disclosed flaw in Ivanti EPMM underscores the importance of timely patching and vulnerability management.

Conclusion

IT professionals should prioritize patching the identified vulnerability in Ivanti EPMM and enhance monitoring of network traffic to detect and mitigate potential exploitation attempts from suspicious IP addresses.