CSC News Table of Contents
Ivanti zero-day vulnerabilities in Connect Secure and Policy Secure are being actively exploited, prompting urgent patching and incident response across enterprises. Attackers are chaining flaws for full compromise. Federal agencies and large enterprises are accelerating mitigations as evidence mounts of widespread intrusion activity against exposed VPN appliances.
Security researchers report authentication bypass and command injection bugs being combined to deploy webshells, steal credentials, and pivot into internal networks. Government guidance urges rapid remediation and forensic validation.
Organizations relying on Ivanti remote access should prioritize upgrades, rotate secrets, and hunt for persistence on appliances and adjacent systems.
Ivanti zero-day vulnerabilities: What You Need to Know
- Exploited Ivanti VPN flaws enable device takeover; patch, rotate credentials, and validate appliance integrity immediately.
Recommended tools to find, fix, and monitor Ivanti VPN exposure:
- Tenable Vulnerability Management to rapidly identify impacted VPN gateways and exposed assets.
- Tenable Nessus for authenticated scans and configuration checks on supporting infrastructure.
- Auvik to map network paths and monitor abnormal VPN device behavior.
- Bitdefender to harden endpoints against post-compromise lateral movement.
Exploited CVEs and Affected Products
Multiple Ivanti Connect Secure (ICS) and Policy Secure (IPS) zero-day vulnerabilities have been used in the wild in chained attacks. Public reporting and vendor advisories identify an authentication bypass and command injection pair that enables unauthenticated remote code execution on vulnerable gateways.
A subsequent server-side request forgery (SSRF) bug was also leveraged to reestablish access after remediation attempts.
Impacted products include supported versions of Ivanti Connect Secure and Policy Secure appliances that had not yet been upgraded to patched builds released by Ivanti.
Enterprises should confirm current build numbers against the latest vendor advisories and immediately apply fixed releases.
Attack Chain and Observed Impact
Threat actors initially exploit the authentication bypass to reach administrative or sensitive endpoints without valid credentials. They then trigger command injection to execute arbitrary code on the appliance, typically deploying webshells for persistence.
From there, adversaries harvest credentials, enumerate internal services, and pivot into corporate networks.
Security teams have reported:
- Installation of multiple, redundant webshells to survive partial cleanup.
- Modification of legitimate files to conceal backdoors and evade detection.
- Collection of configuration data, session tokens, and LDAP/IdP credentials.
- Lateral movement into domain controllers and file servers.
Government guidance places these flaws on high-priority remediation lists due to confirmed exploitation. See CISA’s Known Exploited Vulnerabilities Catalog for current tracking and due dates for federal agencies.
Patching and Hardening Guidance
Ivanti has released patches and detailed recovery steps. Administrators should:
- Upgrade ICS/IPS to the latest fixed versions provided by Ivanti.
- Rebuild affected appliances from a clean image where feasible.
- Rotate all credentials stored or transited through the VPN, including admin accounts, service accounts, and SSO/IdP secrets.
- Reissue device certificates and review SAML/OIDC integrations.
- Enable strict logging and forward logs to a SIEM for retrospective hunting.
Review Ivanti’s official security advisory and recovery guidance for exact build numbers and validated cleanup procedures. The CISA Known Exploited Vulnerabilities Catalog outlines federal remediation timelines and additional detection recommendations.
Detection and Incident Response Priorities
Given persistent webshell activity on compromised devices, assume breach if an affected version was exposed to the internet. Prioritize:
- Full file-system integrity checks on appliances for unauthorized modifications.
- Hunting for known webshell paths and anomalous CGI or Perl files.
- Reviewing VPN authentication, admin access, and configuration change logs.
- Credential reset sequences for admins and integrated identity providers.
- Network-wide EDR sweeps for new services, remote threads, and suspicious scripts.
For broader context on rapidly addressing exploited flaws, see our coverage of Microsoft patches for multiple zero-days and our primer on Ivanti VPN exploitation risks. Organizations maturing long-term defenses can also review Zero Trust architecture for network security.
Threat Actor Activity and Intelligence
Threat researchers have attributed portions of this activity to advanced intruders with strong operational security. Campaigns leveraged living-off-the-land techniques and blended webshell tooling with custom implants to avoid detection.
Indicators from private-sector reports and incident investigations show coordinated targeting of government, technology, and finance sectors.
Authoritative sources including vendor advisories and national cybersecurity agencies stress that partial remediation can leave backdoors intact. Treat these incidents as full intrusions, not patch-and-move-on events.
References and Official Guidance
- CISA Known Exploited Vulnerabilities Catalog
- Mandiant: Ivanti Connect Secure exploitation analysis
- Ivanti Product Documentation and Security Advisories
- Volexity threat research on Ivanti exploitation
Operational Implications for Enterprise VPN Security
Enterprises gain resilient remote access through dedicated VPN appliances, but these platforms concentrate trust and credentials. When zero-days are exploited, attackers often achieve privileged network footholds, leading to credential theft and lateral movement. Ivanti’s patches and recovery guidance reduce risk, but careful execution and verification are essential.
Longer-term mitigations, including split-tunneling reductions, MFA enforcement on administration, strict egress controls from VPN subnets, and progressive migration toward Zero Trust Network Access, can reduce blast radius. However, transitions demand investment, user experience changes, and rigorous identity governance to avoid productivity loss.
Strengthen identity, continuity, and email defenses during VPN incidents:
Conclusion
The exploitation of Ivanti zero-day vulnerabilities shows how quickly perimeter devices can become high-impact entry points. Treat these incidents as full intrusions, not isolated device flaws.
Patch to the latest builds, validate appliance integrity, rotate all connected secrets, and conduct targeted threat hunting. Where uncertainty remains, consider full rebuilds and segmented redeployment.
Finally, accelerate plans for identity-centric access models and continuous validation. Reducing implicit trust at the edge limits adversary options when the next device-level exploit emerges.
Questions Worth Answering
Which Ivanti products are impacted?
• Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) VPN appliances running vulnerable builds before vendor fixes.
What can attackers achieve with the exploit chain?
• Unauthenticated access, remote code execution, webshell persistence, credential theft, and lateral movement into internal networks.
Are patches available?
• Yes. Ivanti has released fixed builds. Administrators should upgrade immediately and follow Ivanti’s recovery guidance.
Is patching alone sufficient?
• No. Assume breach. Rebuild where feasible, rotate credentials, reissue certificates, and perform comprehensive compromise assessments.
How should we prioritize detection?
• Hunt for webshells, abnormal admin access, modified system files, and suspicious outbound connections from VPN subnets.
What role does Zero Trust play here?
• Zero Trust limits blast radius by enforcing continuous verification, least privilege, and hardened identity controls across access paths.
Where can I find authoritative guidance?
• Consult Ivanti advisories and CISA’s Known Exploited Vulnerabilities Catalog for timelines, indicators, and remediation steps.
About Ivanti
Ivanti develops IT management and security software for endpoint, identity, and edge device operations. Its portfolio includes remote access, patch management, and service management tools.
The company’s Connect Secure and Policy Secure platforms provide VPN and network access control for enterprises. These appliances integrate with identity providers and endpoint policies.
Ivanti works with customers and partners worldwide and publishes security advisories, firmware updates, and hardening guidance for its products.
Upgrade your security stack now: try Tresorit, harden servers with Plesk, and protect privacy with Optery.
