A concentrated wave of cyberattacks targeting a recently disclosed vulnerability in Ivanti Endpoint Manager Mobile (EPMM) has been linked to a single internet protocol address hosted on infrastructure known for shielding malicious activity. According to threat intelligence firm GreyNoise, the majority of these exploitation attempts originated from services provided by PROSPERO, a company operating bulletproof hosting.
GreyNoise recorded 417 distinct exploitation sessions targeting the Ivanti EPMM flaw between February 1 and February 9, 2026. The activity came from eight unique source IP addresses. Analysis revealed that an estimated 346 of these sessions, representing approximately 83 percent of the total observed traffic, were traced back to one specific IP address on PROSPERO’s network.
Understanding the Vulnerability and Attack Source
The attacks exploit a security flaw, tracked as CVE-2026-12345, within Ivanti’s Endpoint Manager Mobile software. This platform, formerly known as MobileIron Core, is used by organizations to manage and secure mobile devices like smartphones and tablets used for work purposes. A successful exploit could potentially allow an unauthorized actor to gain control over affected systems.
Bulletproof hosting services, such as those reportedly used in this campaign, are characterized by their lax abuse policies and resistance to law enforcement takedown requests. These networks often provide a safe haven for cybercriminal operations, including malware distribution, phishing campaigns, and coordinated attacks like the one observed against Ivanti EPMM.
Scope and Industry Response
Ivanti released security patches and mitigation guidance for the EPMM vulnerability prior to the observed spike in exploitation activity. The company’s advisory urged all customers to apply the updates immediately to protect their mobile device management infrastructure. The high concentration of attacks from a single IP source suggests a coordinated effort by a specific threat actor or group to target unpatched systems before organizations could complete their updates.
Security researchers emphasize that the use of bulletproof hosting complicates defensive measures. Blocking a single malicious IP address is often ineffective, as operators can quickly rotate to other addresses within the same resilient network. This necessitates a focus on network-level detection and the prompt application of vendor-provided security patches as the primary defense.
Looking Ahead for Affected Organizations
The incident underscores the persistent threat posed by vulnerabilities in widely used enterprise software. Security teams are advised to verify that the Ivanti EPMM patches have been successfully applied across their entire deployment. Continuous monitoring for unusual authentication attempts or configuration changes on the mobile device management platform is also recommended.
Further analysis by the cybersecurity community is expected to continue, potentially revealing more details about the tactics of the attacking group. Law enforcement agencies in multiple jurisdictions routinely investigate bulletproof hosting providers, which may lead to future actions against the infrastructure being used in these exploits. For now, patching remains the most critical step for all users of the affected Ivanti product.
Source: GreyNoise
