CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

First reported
Last updated
4 unique sources, 12 articles

Summary

Hide ▲

Ivanti disclosed CVE-2026-6973, a high-severity improper input validation vulnerability in Endpoint Manager Mobile (EPMM) with a CVSS score of 7.2. The flaw allows remotely authenticated users with administrative access to achieve remote code execution on EPMM appliances running versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti reports very limited exploitation in the wild and notes that customers who rotated credentials following prior attacks (e.g., CVE-2026-1281 and CVE-2026-1340) may reduce risk exposure. CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog on May 7, 2026, requiring Federal Civilian Executive Branch agencies to apply patches by May 10, 2026. Alongside this, Ivanti also patched four additional high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, CVE-2026-7821), though the company has no evidence these have been exploited in the wild. Earlier phases of this campaign documented exploitation of CVE-2025-4427 and CVE-2025-4428, leading to malware deployment and follow-on attacks against government agencies worldwide. Subsequent disclosures revealed additional zero-day vulnerabilities (CVE-2026-1281, CVE-2026-1340) exploited in attacks, with over 850 exposed EPMM instances tracked online. A single threat actor using bulletproof hosting infrastructure (PROSPERO) was responsible for 83% of exploitation attempts, often employing DNS callbacks for verification. Affected organizations included the Dutch Data Protection Authority (AP), the Council for the Judiciary, the European Commission, and Finland's Valtori, with breaches exposing sensitive employee data. CISA’s May 7 directive mandates federal patching of CVE-2026-6973 within four days, citing significant risks to the federal enterprise.

Timeline

  1. 14.02.2026 18:02 1 articles · 2mo ago

    Single Threat Actor Responsible for 83% of Recent Ivanti RCE Attacks

    Threat intelligence observations show that a single threat actor is responsible for most of the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-21962 and CVE-2026-24061. The security issues have been flagged as actively exploited in zero-day attacks in Ivanti's security advisory, where the company also announced hotfixes. Both flaws received a critical severity rating and allow an attacker to inject code without authentication, leading to remote code execution (RCE) on vulnerable systems. A single IP address hosted on bulletproof infrastructure is responsible for over 83% of exploitation activity related to the two vulnerabilities. Between February 1st and 9th, the monitoring platform observed 417 exploitation sessions originating from 8 unique source IP addresses, and centered on CVE-2026-21962 and CVE-2026-24061. The highest volume, 83%, comes from 193[.]24[.]123[.]42, hosted by PROSPERO OOO (AS200593), which Censys analysts marked as a bulletproof autonomous system used to target various software products. A sharp spike occurred on February 8, with 269 recorded sessions in a single day, almost 13 times the daily average of 22 sessions. Of the 417 exploitation sessions, 354 (85%) used OAST-style DNS callbacks to verify command execution capability, pointing to initial access broker activity. The PROSPERO OOO IP address is not limited to Ivanti targeting, as it simultaneously exploited three more vulnerabilities: CVE-2026-21962 in Oracle WebLogic, CVE-2026-24061 in GNU Inetutils Telnetd, and CVE-2025-24799 in GLPI. The Oracle WebLogic flaw had the lion’s share in session volumes, dwarfing the rest with 2,902 sessions, followed by the Telnetd issue with 497 sessions. Exploitation activity appears fully automated, rotating between three hundred user agents. Ivanti's fixes for CVE-2026-1281 and CVE-2026-1340 are not permanent. The company promised to release complete patches in the first quarter of this year, with the release of EPMM version 12.8.0.0. Until then, it is recommended to use RPM packages 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x, and RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0.

    Show sources
    Open in new tab
  2. 12.02.2026 09:32 3 articles · 2mo ago

    83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting

    83% of Ivanti EPMM exploitation attempts originated from a single IP address (193.24.123[.]42) on bulletproof hosting infrastructure offered by PROSPERO. GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. The highest volume, 83%, comes from 193[.]24[.]123[.]42, hosted by PROSPERO OOO (AS200593), which Censys analysts marked as a bulletproof autonomous system used to target various software products. A sharp spike occurred on February 8, with 269 recorded sessions in a single day, almost 13 times the daily average of 22 sessions. Of the 417 exploitation sessions, 354 (85%) used OAST-style DNS callbacks to verify command execution capability, pointing to initial access broker activity. The same IP address exploited three other CVEs across unrelated software, indicating the use of automated tooling. PROSPERO is linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware. Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances, indicative of initial access broker tradecraft. Organizations are advised to apply patches, audit internet-facing MDM infrastructure, review DNS logs for OAST-pattern callbacks, monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level. The IP address linked to the exploitation attempts was still active as of February 12, 2026.

    Show sources
    Open in new tab
  3. 30.01.2026 00:07 9 articles · 3mo ago

    New Ivanti EPMM Vulnerabilities Exploited in Zero-Day Attacks

    CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog on May 7, 2026, mandating patches for FCEB agencies by May 10, 2026. Ivanti reiterated mitigation via EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 and advised credential rotation for admin accounts, noting very limited exploitation of CVE-2026-6973 requiring admin authentication. Ivanti confirmed the issue only affects on-prem EPMM and not Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other products. Shadowserver reports over 800 exposed EPMM appliances online as of May 8, 2026.

    Show sources
    Open in new tab
  4. 19.09.2025 07:10 3 articles · 7mo ago

    Malware Deployment Following Exploitation of Ivanti EPMM Vulnerabilities

    The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Adds SolarWinds, Ivanti, and Workspace One Vulnerabilities to KEV Catalog

CISA has added three vulnerabilities to its KEV catalog due to evidence of active exploitation. These include CVE-2021-22054 in Omnissa Workspace One UEM, CVE-2025-26399 in SolarWinds Web Help Desk, and CVE-2026-1603 in Ivanti Endpoint Manager. The vulnerabilities are being exploited by threat actors, including the Warlock ransomware crew. Federal agencies are ordered to apply patches by March 12 and March 23, 2026. CVE-2026-1603 can be exploited by remote threat actors to bypass authentication and steal credential data in low-complexity cross-site scripting attacks that require no user interaction. Ivanti patched CVE-2026-1603 one month ago with the release of Ivanti EPM 2024 SU5, but has not received reports of exploitation prior to public disclosure.

Open in new tab

Russian UNC6353 Uses Coruna and Darksword iOS Exploit Kits Across iOS 13–18.7 Targeting Financial Espionage and Data Theft

Apple has expanded security updates for iOS 18.7.7 and iPadOS 18.7.7 to protect devices still running iOS 18 from the DarkSword exploit kit, without requiring full OS upgrades. This follows continued exploitation of DarkSword since July 2025 across multiple countries, with attacks leveraging six vulnerabilities to deploy data-stealing malware like GhostBlade, GhostKnife, and GhostSaber through watering hole attacks on compromised websites. The campaign remains linked to Russian threat actor UNC6353 and associated groups including UNC6748 and Turkish vendor PARS Defense, with Coruna and Darksword exploit kits now confirmed as closely related frameworks sharing origins in the 2019–2023 Operation Triangulation campaign. Coruna has evolved from a precision espionage tool into a mass-exploitation framework with 23 exploits across five chains, while Darksword targets iOS 18.4–18.7 and has been publicly leaked on GitHub. Apple has patched all exploited flaws in recent releases (18.7.3, 26.2, 26.3.1), and CISA has mandated federal agencies patch three DarkSword-linked vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) by April 3, 2026. The commoditization of these iOS exploitation tools elevates risk to end-users globally.

Open in new tab

AI-Assisted Hacker Breaches 600 FortiGate Firewalls in 5 Weeks

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile. The campaign targeted healthcare, government, and managed service providers. The attackers exploited vulnerabilities CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. The attackers created a new local administrator account named "support" and set up four new firewall policies allowing unrestricted access. The attackers periodically checked device accessibility, consistent with initial access broker (IAB) behavior. The attackers extracted configuration files containing encrypted service account LDAP credentials. The attackers authenticated to the AD using clear text credentials from the fortidcagent service account. The attackers enrolled rogue workstations in the AD, allowing deeper access. The attackers deployed remote access tools like Pulseway and MeshAgent. The attackers downloaded malware from a cloud storage bucket via PowerShell from AWS infrastructure. The Java malware was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server (172.67.196[.]232) over port 443.

Open in new tab

PromptSpy Android Malware Uses Gemini AI for Persistence

PromptSpy, an advanced Android malware, uses Google's Gemini AI to maintain persistence by pinning itself in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a hard-coded C2 server and is distributed via a dedicated website targeting users in Argentina. PromptSpy is the first known Android malware to use generative AI in its execution flow, sending screen data to Gemini to receive instructions for maintaining persistence. The malware is an advanced version of VNCSpy and is likely financially motivated. Researchers have discovered that PromptSpy was first found in February 2026, with initial samples uploaded to VirusTotal from Hong Kong and Argentina. ESET has not observed the malware in its telemetry, suggesting it may be a proof-of-concept. ESET attributed PromptSpy to Chinese developers with medium confidence, but has not linked it to any known threat actor. PromptSpy deploys a VNC module on compromised systems, enabling operators to view the victim’s screen and take full control of the Android device. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and coordinate multistep interactions.

Open in new tab

European Commission Investigates Breach in Mobile Device Management Platform

The European Commission is investigating a second breach affecting its Amazon cloud infrastructure hosting the Europa.eu platform, which occurred on March 24, 2026. A threat actor, identified as ShinyHunters, claims to have stolen over 350GB of data, including databases, confidential documents, employee PII, DKIM keys, internal admin URLs, NextCloud data, and military financing data. The attacker stated no intention to extort the Commission but warned of potential secondary impacts such as identity risk and spear-phishing attacks. The breach was contained within hours, and the Commission is notifying affected entities while investigating the full impact. This follows the January 30, 2026 breach of the Commission’s mobile device management platform, linked to Ivanti EPMM vulnerabilities, which exposed staff names, phone numbers, and business email addresses and was contained within 9 hours. Separately, ShinyHunters has recently targeted Instructure’s Canvas platform, breaching it a second time to deface login portals for approximately 330 educational institutions, replacing standard pages with an extortion message and threatening to leak data if a ransom is not paid by May 12, 2026. Instructure confirmed data theft during the attack but continues investigating the incident.

Open in new tab