Ivanti Connect Secure: Mass Exploitation of VPN Infrastructure in 2024-2025

Overview

Beginning in late 2023 and accelerating dramatically through 2024 and into 2025, Ivanti Connect Secure (formerly Pulse Secure) VPN appliances became the most aggressively exploited edge device category in corporate and government networks. A series of high-severity vulnerabilities — several used as zero-days before disclosure — enabled unauthenticated attackers to achieve remote code execution on devices protecting sensitive network perimeters.

CISA issued multiple emergency directives. The exploitation campaigns have been attributed with moderate-to-high confidence to UNC5221, a Chinese state-sponsored threat actor, alongside opportunistic criminal groups that moved quickly once public exploits became available.

The Vulnerability Chain

CVE-2023-46805 and CVE-2024-21887 (January 2024)

The first widely exploited pair of vulnerabilities was disclosed by Volexity in January 2024, following detection of active exploitation in the wild since at least December 2023.

CVE-2023-46805 is an authentication bypass in the web component of Ivanti Connect Secure. It allows an unauthenticated remote attacker to access restricted resources by exploiting improper path handling.

CVE-2024-21887 is a command injection vulnerability in the same web component. When combined with the authentication bypass, it enables unauthenticated remote code execution.

# Simplified representation of the authentication bypass path
GET /api/v1/totp/user-backup-code/../../dana-na/auth/url_default/welcome.cgi HTTP/1.1
Host: target-vpn.example.com

# The path traversal bypasses authentication checks, 
# reaching endpoints that expect an authenticated session

The chained exploit was particularly dangerous because it required no credentials and targeted devices that sit at the outermost layer of network defense — the VPN gateway itself.

CVE-2024-21893 — SSRF in SAML Component (February 2024)

A second wave arrived within weeks of the first patch cycle. CVE-2024-21893 is a Server-Side Request Forgery (SSRF) vulnerability in the SAML component of Connect Secure that allows access to restricted resources without authentication. Ivanti disclosed it alongside a second command injection (CVE-2024-21888) after detecting exploitation in the wild.

Critically, CVE-2024-21893 bypassed the initial mitigations Ivanti had recommended. Organizations that applied the January workaround but had not fully patched found themselves vulnerable again.

CVE-2025-0282 — Stack Overflow RCE (January 2025)

In January 2025, Ivanti disclosed CVE-2025-0282, a critical stack-based buffer overflow enabling unauthenticated remote code execution. Once again, Mandiant and others observed exploitation in the wild before disclosure — confirming it as a true zero-day used in targeted intrusions.

The vulnerability exists in the web component of Connect Secure and can be triggered by sending a specially crafted request to the appliance.

Threat Actor Behavior: UNC5221

Post-Exploitation Tooling

Mandiant's analysis of UNC5221 intrusions identified a sophisticated, purpose-built toolkit deployed specifically against Ivanti appliances:

• LIGHTWIRE: A web shell written in Perl injected into a legitimate Connect Secure CGI script, providing persistent command execution
• WIREFIRE: A more capable Python-based web shell deployed to provide persistent backdoor access
• WARPWIRE: A JavaScript credential harvester injected into the login page to capture username and password pairs in real time
• FRAMESTING: A Python web shell embedded within a legitimate Ivanti Python package, providing deep persistence

The sophistication of these implants — their ability to blend into legitimate files, survive reboots, and sometimes survive factory resets — reflects significant prior knowledge of the Ivanti platform's internals.

Integrity Check Evasion

In a particularly notable technique, UNC5221 modified the Connect Secure Integrity Checker Tool (ICT) — the very tool Ivanti recommended customers use to verify their appliances had not been tampered with. The modified ICT would return clean results even on compromised devices.

This meant organizations following Ivanti's own remediation guidance could verify their device as clean and remain unaware of the ongoing compromise. It underscores the fundamental challenge of trusting vendor-provided integrity tooling on a device the attacker already controls.

# What defenders expected (Ivanti's guidance):
./integrity_checker_tool --scan
# Output: No issues detected

# What was actually happening on compromised devices:
# The ICT binary itself had been replaced to suppress findings

Detection Challenges

Detecting compromise on Ivanti appliances proved exceptionally difficult for several reasons:

Limited Logging Visibility

Connect Secure appliances run a hardened Linux-based operating system. Defenders have limited direct access to the underlying OS and file system, making traditional endpoint detection approaches ineffective. Logging is primarily application-layer and can be selectively suppressed by an attacker with root access.

Persistence Through Upgrades

Some implants were designed to survive software upgrades by modifying components that the upgrade process skips. In one documented case, a web shell persisted through an upgrade and redeployment because it was embedded in a partition the upgrade did not overwrite.

Detection Indicators

Despite these challenges, several detection approaches proved effective:

# Check for unexpected processes on the appliance
# (requires access to diagnostic CLI or SSH if enabled)
ps aux | grep -v '\[' | awk '{print $11}' | sort -u

# Check for recently modified files in web directories
find /home/webserver/ -newer /home/webserver/htdocs/index.html -type f 2>/dev/null

# Monitor for SSRF-indicative outbound connections
# Unexpected connections from VPN appliance IP to internal resources

Network-level indicators:

• Outbound connections from VPN appliance IP to unusual internal hosts
• DNS queries from the appliance to external domains unrelated to Ivanti update infrastructure
• Unusual volumes of small outbound connections (C2 beaconing patterns)

Log-based indicators:

• Authentication events for accounts that do not exist in the directory
• Successful sessions with anomalous source IPs (Tor exit nodes, commercial VPNs)
• Web requests containing path traversal sequences (../, URL-encoded equivalents)

Response Guidance

Ivanti's Factory Reset Recommendation

Following the disclosure of integrity checker tampering, Ivanti recommended a full factory reset and redeployment of appliances rather than in-place patching for confirmed compromises. This is the correct response when trust in the running system cannot be established.

Network Containment

While investigating or remediating, consider:

1. Place a host-based firewall rule or upstream ACL blocking the appliance 
   from reaching internal sensitive segments (domain controllers, databases)
   
2. Rotate ALL credentials that may have transited the VPN gateway,
   including service accounts and certificates

3. Treat any hosts that authenticated through the gateway during the 
   compromise window as potentially compromised

Credential Rotation Priority

The WARPWIRE credential harvester means any credentials entered into the Ivanti login portal during an active compromise should be considered stolen. Prioritize rotation of:

• Domain administrator and privileged accounts
• Service accounts used in VPN authentication flows
• Certificates installed on the appliance
• API keys for downstream integrations

Structural Takeaways

Edge Devices as a Persistent Attack Surface

The Ivanti campaign is not an isolated incident. Similar mass-exploitation campaigns have targeted Citrix NetScaler, Fortinet FortiOS, Barracuda Email Security Gateway, and Cisco IOS XE. The pattern is consistent:

1. A critical authentication bypass or RCE in an edge appliance is discovered
2. Nation-state actors exploit it before disclosure (zero-day phase)
3. Disclosure triggers public PoC releases
4. Criminal actors pile in during the patch window
5. Sophisticated actors maintain persistence even on "patched" devices

Edge devices are attractive targets because they sit outside endpoint detection coverage, run opaque proprietary operating systems, and carry enormous implicit trust within the networks they protect.

Vendor Responsibility and Coordinated Disclosure

The Ivanti cases also raised questions about vendor transparency. The delay between Ivanti learning of active exploitation and public disclosure, the release of mitigations that were bypassed within days, and the compromise of the integrity checker all contributed to a difficult remediation environment for defenders.

Organizations should evaluate vendors on their security response track record, not just feature sets, when selecting perimeter infrastructure.

Conclusion

The sustained exploitation of Ivanti Connect Secure devices represents a case study in how nation-state threat actors leverage edge device vulnerabilities to achieve persistent, wide-scale access to high-value networks. The combination of zero-day exploitation, sophisticated post-exploitation tooling, and integrity check evasion made this campaign exceptionally difficult to detect and remediate.

Organizations should treat VPN and other edge appliances as high-risk, high-value targets worthy of continuous monitoring, aggressive patch cycles, and a skeptical posture about the trustworthiness of vendor-provided integrity tools when a device may already be compromised.