One threat actor responsible for 83% of recent Ivanti RCE attacks
Bleeping Computer
by Bill ToulasFebruary 14, 2026
AI-Generated Deep Dive Summary
A single threat actor has been identified as responsible for over 83% of recent remote code execution (RCE) attacks targeting two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), specifically CVE-2026-21962 and CVE-2026-24061. These vulnerabilities, rated as critical, allow attackers to inject code without authentication, leading to RCE on compromised systems. GreyNoise Intelligence reported that the majority of exploitation activity originates from a single IP address (193[.]24[.]123[.]42), hosted by PROSPERO OOO, which is known for its bulletproof infrastructure used in targeting various software products.
Between February 1st and 9th, GreyNoise monitored 417 exploitation sessions across eight unique source IPs. The highest volume of attacks—83%—came from the identified IP address alone. A significant spike occurred on February 8th, with 269 attacks recorded in a single day, nearly 13 times the daily average. Researchers noted that this IP is not listed in widely published indicators of compromise (IoCs), highlighting a potential blind spot for defenders relying solely on known threat intelligence.
The threat actor’s operations appear highly automated, leveraging multiple user agents to evade detection while exploiting three vulnerabilities simultaneously: CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU Inetutils Telnetd, and CVE-2025-24799 in GLPI. The Oracle WebLogic flaw was the most exploited, accounting for 2,902 sessions, followed by the Telnetd issue with 497 sessions. GreyNoise also observed OAST-style DNS callbacks in 85% of Ivanti-related attacks, indicating initial access
Verticals
securitytech
Originally published on Bleeping Computer on 2/14/2026