Ivanti vulnerabilities lead to CISA being targeted in a wave of exploits
In the first quarter of 2023 and continuing into 2024-2025, critical zero-day vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure VPN) and Ivanti Policy Secure products have been extensively exploited. Key vulnerabilities such as CVE-2023-46805, CVE-2024-21887, and CVE-2025-0282 have been identified, enabling pre-authentication command injection and remote code execution. These flaws allow attackers to bypass authentication, execute arbitrary commands, steal credentials, drop malware, and exfiltrate sensitive data from targeted networks.
Details about Exploitation
The attacks, which began in early 2024, intensified by late January, targeting multiple critical sectors such as defense, healthcare, and finance via Ivanti gateways used for remote access. Notably, a Chinese-linked threat actor, Houken, exploited Ivanti zero-days to infiltrate French critical infrastructure, resulting in compromised credentials and sensitive data. Additionally, a stealthy remote access Trojan (RAT), DslogdRAT, has been identified exploiting Ivanti Connect Secure zero-days, particularly in Japan.
Agency Response
In response to the active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives warning federal agencies, critical infrastructure operators, and enterprises using Ivanti products to urgently update to the latest supported versions and apply mitigations. Collaboration between CISA and the FBI includes releasing updated guidance on securing products, hunting for indicators of compromise (IOCs), treating stored credentials as compromised, analyzing logs, and following strong incident response protocols.
Furthermore, CISA added Ivanti vulnerabilities to its Known Exploited Vulnerabilities Catalog and strongly urged the community to adopt Zero Trust Architecture measures and rigorous patch management to reduce risk.
CISA Attack and Response
Earlier this year, the Cybersecurity and Infrastructure Security Agency was hit by a cyberattack. In response, on Feb. 2, CISA ordered federal civilian executive branch agencies to disconnect Ivanti products from their systems. The two affected systems were immediately taken offline after the attack was identified. However, there is no reported operational impact at this time due to the attack.
By Feb. 6, exploitation of Ivanti Connect Secure VPN instances was widespread, prompting federal and international cyber authorities to issue a global alert about the active exploitation of vulnerabilities in Ivanti Connect Secure and other remote access VPNs.
In summary, multiple critical Ivanti Connect Secure zero-day vulnerabilities have been extensively exploited, prompting CISA and FBI emergency alerts, active monitoring, and strong remediation guidance to prevent further attacks and limit damage from credential theft and malware insertion. Ivanti has released a security patch for the zero-day vulnerabilities on Jan. 31, but the company has not released any further statement beyond its prior statement and public blog posts.
- The cybersecurity threat posed by the vulnerable Ivanti Connect Secure and Ivanti Policy Secure products intensified in the latter half of 2024, with incident response teams facing a myriad of pre-authentication command injections and remote code executions, enabling attackers to bypass authentications, execute arbitrary commands, steal credentials, drop malware, and exfiltrate sensitive data.
- The Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives in response to the active exploitation of Ivanti vulnerabilities, urging federal agencies, critical infrastructure operators, and enterprises to prioritize updates to the latest supported versions, adopting Zero Trust Architecture measures, and following rigorous patch management in order to reduce vulnerability to cyber threats and strengthen incident response protocols.
