Ivanti Endpoint Manager Mobile (EPMM) suffers from a critical unauthenticated remote code execution vulnerability identified as CVE-2026-1281, with a CVSS score of 9.8, alongside a related vulnerability CVE-2026-1340. Exploitation attempts have been extensively observed between February 1 and 9, 2026, with 417 sessions recorded by GreyNoise from eight unique IPs, 83% originating from a single IP (193.24.123.42) hosted on bulletproof infrastructure operated by PROSPERO. This infrastructure is linked to Proton66, known for distributing various malware families. The attacker employs automated tooling that cycles through over 300 unique user agent strings across multiple browsers and operating systems, indicating sophisticated evasion and reconnaissance techniques. The exploitation pattern involves out-of-band application security testing (OAST) callbacks via DNS to verify target vulnerability without deploying malware or exfiltrating data immediately, consistent with initial access broker tradecraft. This approach catalogs vulnerable systems for potential later exploitation or sale of access. Concurrently, the same IP exploits other critical vulnerabilities in Oracle WebLogic (CVE-2026-21962), GNU InetUtils telnetd (CVE-2026-24061), and GLPI (CVE-2025-24799), demonstrating a broad attack campaign. European institutions including the Dutch Data Protection Authority, the European Commission, and Finland's Valtori have confirmed targeting attempts, underscoring the threat's regional focus. The presence of a dormant in-memory Java class loader at /mifs/403.jsp on compromised EPMM instances suggests preparation for persistent access and lateral movement within networks. Ivanti recommends immediate patching, auditing of MDM infrastructure, and monitoring for exploitation indicators. Blocking PROSPERO's autonomous system (AS200593) at network perimeters is advised to reduce exposure. The vulnerability's exploitation threatens confidentiality, integrity, and availability by granting attackers control over device management platforms, potentially bypassing network segmentation and enabling widespread organizational compromise.

For European organizations, particularly those using Ivanti EPMM for mobile device management, this vulnerability poses a significant risk of unauthorized remote code execution leading to full compromise of device management infrastructure. Such a breach can enable attackers to control managed devices, deploy malicious configurations, exfiltrate sensitive data, and move laterally across networks, undermining network segmentation and security controls. The targeting of critical government agencies and regulatory bodies indicates a high likelihood of espionage, disruption of public services, and exposure of sensitive citizen data. The use of bulletproof hosting and sophisticated reconnaissance techniques suggests persistent and well-resourced threat actors, increasing the risk of prolonged campaigns. Additionally, the concurrent exploitation of other critical vulnerabilities from the same infrastructure amplifies the threat landscape for affected organizations. Failure to promptly patch and monitor systems could result in widespread compromise, regulatory penalties under GDPR for data breaches, and reputational damage.

European organizations should immediately apply the patches released by Ivanti for CVE-2026-1281 and CVE-2026-1340 to eliminate the vulnerabilities. Conduct thorough audits of all internet-facing Mobile Device Management (MDM) infrastructure to identify any signs of compromise, including unusual access patterns or the presence of the /mifs/403.jsp Java class loader. Monitor DNS logs for out-of-band application security testing (OAST) callbacks indicative of reconnaissance activity. Implement network perimeter defenses to block traffic from PROSPERO's autonomous system (AS200593) and related IP addresses to disrupt attacker infrastructure. Employ threat hunting focused on indicators of compromise provided by Ivanti and GreyNoise, including high-fidelity IoCs and exploitation detection scripts developed in collaboration with NCSC-NL. Enhance logging and alerting on MDM and VPN concentrators to detect lateral movement attempts. Restrict administrative access to MDM platforms using multi-factor authentication and network segmentation to limit attacker lateral mobility. Regularly update and patch all related software components to reduce the attack surface. Engage in information sharing with national cybersecurity agencies and industry groups to stay informed on evolving tactics and indicators.