Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Majority of Ivanti EPMM threat activity linked to hidden IP

A report by GreyNoise warns the IP address is operating behind bulletproof hosting infrastructure and might not show up in current IoCs.

Published Feb. 11, 2026
David Jones's headshot
Reporter
Rendering of digital data code in safety security technology concept.
Getty Images

More than 80% of exploitation activity targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile were traced to a single IP address hiding behind a bulletproof hosting infrastructure, according to a report released Tuesday by GreyNoise. 

Researchers warn that several of the most shared indicators of compromise linked to the current threat campaign indicate no activity linked to Ivanti EPMM. The concern is that security teams may therefore be looking for the wrong information, as current IoCs indicate scanning for Oracle WebLogic instead, according to GreyNoise researchers. 

GreyNoise researchers said Ivanti exploitation accounted for only 9% of the activity they saw from that single IP. Oracle WebLogic accounted for 2,902 sessions versus 346 for Ivanti. 

“An analyst looking at that infrastructure would see overwhelmingly Oracle traffic, and the Ivanti component could easily be overlooked," Noah Stone, head of content at GreyNoise told Cybersecurity Dive

Late last month, Ivanti disclosed critical code injection vulnerabilities tracked under CVE-2026-1281 and CVE-2026-1340. The flaws impact the on-premises version of Ivanti EPMM and could allow an attacker to achieve remote code execution. 

GreyNoise researchers first detected threat activity targeting CVE-2026-1281 on Feb. 1 and recorded 417 exploitation sessions through Feb. 9 from eight unique source IPs. One IP, registered to Prospero OOO, generated 83% of the sessions. The IP was geolocated to St. Petersburg, Russia, according to GreyNoise. 

Threat activity has accelerated in recent days, with GreyNoise data showing 269 sessions on Sunday, a sharp increase from the prior daily average of 21. Researchers from Shadowserver Foundation on Tuesday reported a surge in threat activity. More than 28,000 source IPs were observed in Shadowserver data, with more than 20,000 seen from U.S. networks.

Ivanti said its recommendations remain the same. Customers that haven’t patched should do so immediately and then check their appliances for any previous signs of exploitation. 

“Applying the patch is the most effective way to prevent exploitation, regardless of how IOCs change over time, especially once a POC is available,” a spokesperson for Ivanti told Cybersecurity Dive via email. “The patch requires no downtime and takes only seconds to apply.

As previously reported, the Dutch Data Protection Authority and the Judicial Council were breached due to Ivanti EPMM exploitation. The European Commission was also investigating an attack linked to Ivanti IPMM. 

An investigation related to the EC incident showed a possible leak of data, including names and numbers of certain staff members, according to a source familiar with the investigation. Additional measures were taken to mitigate the vulnerabilities and additional steps are being taken to reduce the overall risk.

Editor’s note: Adds comments from GreyNoise and Ivanti. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
2026 Resilience Risk Index Reveals that Endpoint Security Software Fails More Than 20 Percent …
From Absolute Security
March 24, 2026
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell