83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure
Summary
A large percentage (83%) of exploitation attempts targeting the Ivanti EPMM vulnerability (CVE not specified) originate from a single IP address hosted on PROSPERO's bulletproof hosting infrastructure. GreyNoise recorded 417 exploitation sessions from 8 unique IP addresses between February 1st and 9th, 2026.
IFF Assessment
Active exploitation of a recently disclosed vulnerability, especially from bulletproof hosting, is bad news for defenders.
Severity
Defender Context
The concentration of exploitation activity around a single IP simplifies initial threat hunting, but the use of bulletproof hosting suggests the attackers are attempting to evade detection and attribution. Defenders should monitor for related IoCs, prioritize patching Ivanti EPMM, and review network traffic for suspicious activity originating from or communicating with the listed IP addresses and PROSPERO's infrastructure. Rapid exploitation following disclosure is a common trend, emphasizing the importance of timely patching.