Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere

GreyNoise has identified active exploitation targeting two critical vulnerabilities within Ivanti Endpoint Manager Mobile. Analysis reveals that 83% of this malicious traffic originates from a single IP address hosted on bulletproof infrastructure. Notably, this specific indicator of compromise is absent from widely circulated IOC lists, suggesting a gap in current threat intelligence sharing or rapid emergence of the campaign. This activity poses a significant risk to organizations utilizing Ivanti solutions, as attackers are leveraging known critical flaws for initial access. While no specific threat actor or malware family has been publicly attributed to this campaign yet, the concentration of traffic indicates a coordinated effort. Organizations are urged to prioritize patching Ivanti Endpoint Manager Mobile immediately and monitor network traffic for anomalies originating from bulletproof hosting providers, rather than relying solely on existing IOC feeds which may not cover this specific source.

The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists.

GreyNoise has identified active exploitation targeting two critical vulnerabilities within Ivanti Endpoint Manager Mobile. Analysis reveals that 83% of this malicious traffic originates from a single IP address hosted on bulletproof infrastructure. Notably, this specific indicator of compromise is absent from widely circulated IOC lists, suggesting a gap in current threat intelligence sharing or rapid emergence of the campaign. This activity poses a significant risk to organizations utilizing Ivanti solutions, as attackers are leveraging known critical flaws for initial access. While no specific threat actor or malware family has been publicly attributed to this campaign yet, the concentration of traffic indicates a coordinated effort. Organizations are urged to prioritize patching Ivanti Endpoint Manager Mobile immediately and monitor network traffic for anomalies originating from bulletproof hosting providers, rather than relying solely on existing IOC feeds which may not cover this specific source. The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists. The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists.