BIPI
BIPI

Ivanti Connect Secure 2025: Exploitation Patterns, CISA KEV Cascade, and IR Lessons

Threat Intelligence

Ivanti Connect Secure accumulated more CISA KEV entries in 2025 than any other single product. A systematic analysis of the CVE series, observed exploitation chains, incident response lessons, and architecture recommendations.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 13, 2025 · 11 min read

#ivanti#cve#cisa-kev#vpn-security#incident-response#zero-day

Ivanti Connect Secure — formerly Pulse Secure — has become the security industry's most significant cautionary tale about SSL VPN attack surface. The product accumulated a cascade of critical zero-day vulnerabilities through 2024 and 2025, with CISA adding more Ivanti CVEs to its Known Exploited Vulnerabilities catalogue than any other single product in that period. Nation-state groups from China, Russia, and Iran, alongside financially motivated ransomware affiliates, all exploited Ivanti vulnerabilities as a primary initial access vector.

12+
Ivanti Connect Secure CVEs added to CISA KEV in 2024–2025
Nation-state
Exploitation confirmed by Chinese, Russian, and Iranian APT groups
ED 24-01
CISA Emergency Directive requiring federal agencies to disconnect or patch Ivanti devices

The CVE Cascade: 2024–2025 Timeline

The Ivanti exploitation wave began in January 2024 with the disclosure of CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection). These were chained by multiple threat actors — including UNC5221 attributed to Chinese intelligence — before patches were available. The pattern of zero-day exploitation before patch availability repeated with CVE-2024-21893, CVE-2024-22024, and a series of further vulnerabilities disclosed through 2025 following Ivanti's accelerated security review programme.

  • CVE-2023-46805: authentication bypass in web component; CVSS 8.2; exploited before patch in January 2024
  • CVE-2024-21887: command injection via authenticated web request; chained with CVE-2023-46805 for pre-auth RCE
  • CVE-2024-21893: SSRF in SAML component; exploited to bypass two-factor authentication
  • CVE-2024-22024: XXE in SAML component allowing authentication bypass without credentials
  • CVE-2025-0282: stack-based buffer overflow in ICS 22.7.x; CVSS 9.0; zero-day exploited in January 2025
  • CVE-2025-0283: privilege escalation; chained with CVE-2025-0282 for root shell access

Observed Exploitation Chains

Mandiant's ICSSTRIKE tracker documented the most common exploitation chain observed in incident response engagements following Ivanti compromise in 2025. The chain begins with exploitation of a pre-authentication vulnerability to achieve code execution as the limited web server user, followed by privilege escalation to root, and then deployment of a persistent implant designed to survive factory resets and firmware updates.

  1. Pre-auth exploitation of buffer overflow or authentication bypass to achieve web server process execution
  2. Local privilege escalation to root via chained vulnerability or exposed SUID binary
  3. Deployment of SPAWNANT/SPAWNMOLE/SPAWNSNAIL implant family to /home/user/package/data/
  4. Implants survive factory reset: write to read/write partition not erased by standard reset procedure
  5. Certificate harvesting: extract session tokens and certificates for lateral movement to downstream systems
  6. Pivot to internal network via VPN tunnel; use harvested credentials for Active Directory access

The Factory Reset Trap

The most operationally significant discovery in Ivanti incident response in 2024 and 2025 was that the implant families deployed by nation-state actors survived factory resets. CISA's January 2024 advisory explicitly warned that threat actors may have retained access to Ivanti appliances despite customers performing factory resets. This invalidated the standard incident response playbook of wipe and restore from clean image.

CISA KEV Emergency Directives

CISA issued Emergency Directive 24-01 in January 2024 directing all Federal Civilian Executive Branch agencies to immediately mitigate Ivanti Connect Secure and Ivanti Policy Secure vulnerabilities. This was followed by Supplemental Direction V3 requiring agencies to assume credential and sensitive data compromise, report indicators of compromise, and in some cases rebuild affected systems from scratch.

Architecture Recommendations

  • Evaluate VPN vendor consolidation risk: over-reliance on a single remote access product creates single-point-of-failure exposure
  • Deploy Ivanti Integrity Checker Tool on a scheduled basis and alert on any failures
  • Network segment VPN termination points: compromised gateway should not have direct routing to the entire internal network
  • Implement MFA that is not reliant on the VPN appliance's own authentication stack
  • Subscribe to Ivanti's security advisory mailing list and have a documented SLA for patching critical VPN appliance CVEs
  • Consider zero-trust network access architecture to reduce attack surface compared to traditional VPN
The Ivanti cascade illustrates a systemic risk: security infrastructure designed to protect network access is itself the most valuable target on the perimeter. A compromised VPN gateway provides the attacker with the most trusted position in the network.
ED 24-01
CISA Emergency Directive issued within weeks of initial disclosure — among the fastest federal mandates ever issued
Survives reset
Implant persistence beyond factory reset caught incident responders unprepared across dozens of engagements
ZTNA
Architectural alternative CISA recommends to reduce single-product VPN dependency

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.