Two critical Ivanti Endpoint Manager Mobile vulnerabilities, CVE-2026-21962 and CVE-2026-24061, are being actively exploited for unauthenticated remote code execution, with vendor hotfixes released and full patches promised in EPMM 12.8.0.0. Most exploitation activity (over 83%) traces to a single IP hosted on bulletproof infrastructure, prompting recommendations to apply temporary RPM mitigations or migrate to a rebuilt EPMM instance. #IvantiEPMM #PROSPERO_OOO
Keypoints
- A single IP (193[.]24[.]123[.]42) accounts for more than 83% of exploitation of CVE-2026-21962 and CVE-2026-24061.
- GreyNoise observed 417 exploitation sessions from Feb 1–9, with a spike of 269 sessions on Feb 8.
- About 85% of sessions used OAST-style DNS callbacks, indicating initial access broker activity.
- The exploitation appears fully automated, rotating roughly 300 user agents and also targeting Oracle WebLogic, GNU Inetutils Telnetd, and GLPI.
- Ivanti released hotfixes and recommends specific RPM workarounds or migrating to a replacement EPMM instance until full patches (v12.8.0.0) are available.