Overview
- Ivanti released EPM 2024 SU5 to fix a high‑severity authentication bypass (CVE-2026-1603) and a medium‑severity SQL injection (CVE-2026-1602), saying it has no evidence of in‑the‑wild exploitation of these EPM flaws.
- Researchers continue to observe active attacks on EPMM via CVE-2026-1281 and CVE-2026-1340, including dormant in‑memory webshells placed at /mifs/403.jsp that require a trigger to activate.
- GreyNoise recorded 417 exploitation sessions from February 1–9 and attributed approximately 83% to IP 193.24.123.42 hosted by PROSPERO, with tooling also exploiting unrelated software CVEs in parallel.
- About 85% of observed sessions used DNS callbacks to confirm exploitability without deploying payloads, a pattern consistent with initial‑access brokering and cataloging of vulnerable targets.
- Ivanti and the Dutch NCSC released indicators and a detection script, and authorities advised organizations to apply patches, audit internet‑facing MDM systems, check for /mifs/403.jsp, review DNS logs, and assume compromise where warranted.