Search results for VPN Ivanti | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday  added  a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities ( KEV ) catalog, stating it's being actively exploited in the wild. The vulnerability in question is  CVE-2023-35082  (CVSS score: 9.8), an authentication bypass that's a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0), which was actively exploited in attacks targeted Norwegian government entities as a zero-day in April 2023. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti  noted  in August 2023. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerabilit...

At least two different suspected China-linked cyber espionage clusters, tracked as  UNC5325  and  UNC3886 , have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances. UNC5325 abused  CVE-2024-21893  to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as attempted to maintain persistent access to compromised appliances, Mandiant said. The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter. It’s worth pointing out that  UNC3886  has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP. “UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication orga...

Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited to achieve arbitrary code execution. The list of vulnerabilities is below - CVE-2024-38657 (CVSS score: 9.1) - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files CVE-2025-22467 (CVSS score: 9.9) - A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution CVE-2024-10644 (CVSS score: 9.1) - Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution CVE-2024-47908 (CVSS score: 9.1) - Operating sy...

A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which  identified  the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name  UTA0178 . There is evidence to suggest that the VPN appliance may have been compromised as early as December 3, 2023. The two vulnerabilities that have been exploited in the wild to achieve unauthenticated command execution on the ICS device are as follows - CVE-2023-46805  (CVSS score: 8.2) - An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVE-2024-21887  (CVSS score: 9.1) - A command injection vulnerability in web components...

Microsoft has disclosed details of a credential theft campaign that employs fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning techniques. "The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials," the Microsoft Threat Intelligence and Microsoft Defender Experts teams said . The Windows maker, which observed the activity in mid-January 2026, has attributed it to Storm-2561 , a threat activity cluster known for propagating malware through SEO poisoning and impersonating popular software vendors since May 2025. The threat actor's campaigns were first documented by Cyjax, highlighting the use of SEO poisoning to redirect users searching for software programs from companies like SonicWall, Hanwha Vision, and Pulse Secure (now Ivanti Secure...

Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. "Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution," Ivanti said in an advisory . "Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix." Also patched by the company is another high-severity flaw (CVE-2025-0283, CVSS score: 7.0) that allows a locally authenticated attacker to escalate their privileges. The vulnerabilities, addressed in version 22.7R2.5, imp...

Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of  LIGHTWIRE . "CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution," the company  said , attributing it to UNC5221, adding it also detected multiple new versions of  WARPWIRE , a JavaScript-based credential stealer. The infection chains entail a successful exploitation of  CVE-2023-46805 and CVE-2024-21887 , which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges. The flaws have been abused as zero-days since early December 2023. Germany's Federal Office for Information Security (BSI)...

A recently disclosed server-side request forgery ( SSRF ) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation  said  it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit  CVE-2024-21893  (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication. Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a "limited number of customers," but cautioned the status quo could change post public disclosure. That's exactly what appears to have happened, especially following the  release  of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week. The PoC involves fashioning...

Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) to its Known Exploited Vulnerabilities (KEV) catalog. The critical-severity vulnerabilities are listed below - CVE-2026-1281 (CVSS score: 9.8) - A code injection allowing attackers to achieve unauthenticated remote code execution CVE-2026-1340 (CVSS score: 9.8) - A code injection allowing attackers to achieve unauthenticated remote code execution They affect the following versions - EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x) EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x) However, it bears noting that the RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities will...

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging  two zero-day vulnerabilities  in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant  said  in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker  UNC5221 .  The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances. Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the vict...

A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. An estimated 346 exploitation sessions have originated from 193.24.123[.]42, accounting for 83% of all attempts. The malicious activity is designed to exploit CVE-2026-1281 (CVSS scores: 9.8), one of the two critical security vulnerabilities in EPMM, along with CVE-2026-1340 that could be exploited by an attacker to achieve unauthenticated remote code execution. Late last month, Ivanti acknowledged it's aware of a "very limited number of customers" who were impacted following the zero-day exploitation of the issues. Since then, multiple European agencies, including the Netherlands' Dutch Da...

Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893). The clusters are being tracked by Mandiant under the uncategorized monikers  UNC5221 , UNC5266, UNC5291,  UNC5325 , UNC5330, and UNC5337. Also previously linked to the exploitation spree is a Chinese hacking crew called UNC3886 , whose tradecraft is notable for weaponizing zero-day bugs in Fortinet and VMware to breach target networks. The Google Cloud subsidiary said it has also observed financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely in an attempt to conduct cryptocurrency mining operations. "UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments,...

Check Point is warning of a zero-day vulnerability in its Network Security gateway products that threat actors have exploited in the wild. Tracked as CVE-2024-24919 (CVSS score: 8.6), the issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. "The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled," Check Point said . Hotfixes are available in the following versions - Quantum Security Gateway and CloudGuard Network Security Versions - R81.20, R81.10, R81, R80.40 Quantum Maestro and Quantum Scalable Chassis - R81.20, R81.10, R80.40, R80.30SP, R80.20SP Quantum Spark Gateways Version - R81.10.x, R80.20.x, R77.20.x The development comes days after the Israeli cybersecurity company warned of attacks targeting its VPN devices to infiltrate enterprise networks. "By May 24, 2024, we identi...

It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect. Here’s a quick look at this week’s top threats, new tactics, and security stories shaping the landscape. ⚡ Threat of the Week F5 Exposed to Nation-State Breach — F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it's believed that the attackers were in its network for at least 12 months. The attackers are said to have used a malware family called BRICKSTORM, which is attributed to a China-nexus espionage group dubbed UNC5221. GreyNoise said it observed elevat...

If Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet. At least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks. "A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021,  CVE-2021-22893 , are responsible for the initial infection vector," cybersecurity firm FireEye  said  on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances. The company is also tracking the activity under two threat clusters UNC2630 and UN...