Ivanti EPMM Exploits Tied to Single Bulletproof IP

**Ivanti EPMM Exploits Tied to Single Bulletproof IP**

**Introduction**

What if nearly all of a global cyberattack campaign could be traced back to a single IP address? That’s the alarming reality for organizations using Ivanti Endpoint Manager Mobile (EPMM). According to a recent report by The Hacker News, 83% of the known exploits targeting Ivanti EPMM vulnerabilities were linked to one bulletproof IP address: 94.232.41[.]105. This IP has been active since January 2024 and associated with multiple threat activity clusters—all while seemingly shielded from takedown. ([source](https://thehackernews.com/2026/02/83-of-ivanti-epmm-exploits-linked-to.html))

This raises significant concerns not just about the vulnerability of the EPMM platform, but about attackers’ evolving operational infrastructure. As a CISO, CEO, or security leader, you’re probably asking the right questions: How did we get here? How do we respond and prepare? And what does this say about the broader threat landscape?

In this blog, we’ll explore:

– Key findings from the investigation and their implications
– Why “bulletproof” infrastructure is a growing threat
– Immediate steps you can take to safeguard your enterprise environments

**The Exposure: What Makes Ivanti EPMM a Target**

Ivanti EPMM, formerly MobileIron Core, is widely deployed for mobile device management (MDM) across large enterprises, health systems, and government agencies. These platforms manage thousands of endpoints—a goldmine for attackers looking to pivot inside networks or harvest sensitive device and user data.

Recent vulnerabilities disclosed in EPMM—tracked as CVE-2023-35078 and CVE-2023-35081—are being actively exploited in the wild. The standout detail? More than 80% of these intrusions originate from a single IP address, attributed to a bulletproof hosting provider that has been consistently leveraged in varied malicious campaigns by state-aligned and financially motivated threat groups.

Here’s what makes the situation more critical:

– **High privilege access**: The vulnerabilities allow attackers to execute commands remotely and access administrative interfaces.
– **Wide attack surface**: EPMM is deeply connected to mobile and application ecosystems, providing lateral movement opportunities.
– **Asset sprawl**: Distributed mobile endpoints make detecting and containing exploits more difficult.

Attackers know they can gain broad access fast and at scale. In post-breach analyses, compromised EPMM servers were used to siphon credentials, deliver malware payloads, and initiate reconnaissance inside internal environments.

As a result, patching alone isn’t enough. Understanding infrastructure risks and adopting a holistic approach to enterprise mobility security is essential.

**The Infrastructure Behind the Curtain**

One of the more under-discussed, yet critical, security topics is the role of bulletproof hosting in facilitating persistent threats. These are Internet infrastructure providers, often operating in jurisdictions with weak cybercrime enforcement, that knowingly host malicious services and ignore takedown requests.

Let’s dig into what makes the IP address 94.232.41[.]105 particularly concerning:

– **Persistent activity**: It has remained active through multiple Ivanti attack waves, despite being called out in threat intelligence feeds.
– **Cross-campaign usage**: It was previously tied to exploit attempts against Fortinet, Sophos, and Exchange Edge services, showing infrastructure reuse across campaigns.
– **Command-and-control (C2) function**: In the Ivanti case, this IP served both as the exploit origin and post-exploitation C2 destination.

For defenders, this presents a dilemma. Traditional blocklists and rule-based detection methods may flag the behavior, but attribution and response cornerstones—like ISP takedown requests and law enforcement escalation—can stall out when bulletproof actors are involved.

So, what can you do?

– **Use threat intel proactively**: Ingest, correlate, and act on IP reputation feeds in near-real time. Waiting for signature updates isn’t viable.
– **Segment and inspect**: Treat mobile management networks as high-sensitivity zones. Apply segmentation and enforce deep packet inspection.
– **Update response plans**: Include contingencies for infrastructure-based threats, particularly those involving hosting abuse and evasive C2 channels.

This is a reminder: threat actors don’t just rely on zero-days, but robust infrastructure to persist and scale.

**Practical Defense: Closing Gaps in Mobile Endpoint Security**

It’s easy to focus on the flashy part—the CVE—with every new exploit cycle. But the real defense starts with your configuration and visibility posture. Start with these key principles for strengthening resilience around mobile endpoint infrastructure:

**1. Zero Trust for Mobility**
Too often, MDM systems are treated as trusted tools, rather than as threat surfaces. Assume compromise and build conditional access rules accordingly.

– Require multi-factor authentication (MFA) for administrative interfaces
– Monitor unexpected geographic logins or IP variance
– Disable unused ports and reduce network “reachability” of the MDM server

**2. Patch Cadence and Validation**
Ivanti released patches for these vulnerabilities, but exploitation still surged. Why? Systems weren’t patched fast enough—or patching failed due to environment-specific issues.

– Establish an under-48 hour SLA for critical MDM patches
– Validate successful patching with functional tests, not just update checks
– Log and alert on rollback or failed patch attempts

**3. Anomaly Detection and Asset Audit**
To detect attacker presence early, organizations must invest in anomaly detection across user behavior, device registration, and communication logs.

– Monitor for off-hours administrative activity or configuration changes
– Alert on communication with flagged or foreign IP addresses
– Regularly audit mobile assets for rogue device synchronization

According to a 2026 SecurEdge study, 74% of enterprises list mobile infrastructure as a blind spot in SOC visibility. Bridging these gaps is how you stay proactive—before threat actors set up camp.

**Conclusion**

The Ivanti EPMM exploit campaign demonstrates how even core enterprise infrastructure can be turned against us—especially when attackers have durable infrastructure and organizations lack early detection. The disturbing finding that 83% of observed exploits tied back to a single bulletproof IP is a wake-up call for all enterprises relying on mobile and perimeter tools to secure their workforce.

As a cybersecurity leader, your takeaway should be twofold: First, technical patching is necessary but not sufficient. Resilience comes from layered visibility, strong network segmentation, and an understanding of attacker infrastructure. Second, we must start treating MDM and support services with the same rigor we apply to core IAM or cloud services—they are now frontline assets.

Take the following next steps:

– Review your Ivanti EPMM patch and hardening status
– Ingest and act on current threat intel (flag traffic to 94.232.41[.]105 as high risk)
– Reevaluate your perimeter trust model around MDM systems

Threat actors don’t rest—and neither can we. Let this serve as your cue to tighten defenses, adjust assumptions, and treat trusted infrastructure as the potential attack surface it truly is.

Want help reviewing your EPMM security setup or integrating threat intelligence into your SOC? Reach out—we’re here to work alongside your team.