CybersecurityIvanti Connect Secure Zero-Day Exploitation Campaign Triggers Emergency Directives
Multiple zero-day vulnerabilities in Ivanti Connect Secure VPN appliances are under active exploitation by a state-sponsored threat group, prompting CISA Emergency Directive 26-02 and coordinated advisories from Five Eyes cybersecurity agencies. The vulnerabilities enable unauthenticated remote code execution and authentication bypass, giving attackers persistent root-level access that survives appliance reboots and software patches. Confirmed compromises span government agencies, defense contractors, and telecommunications providers across at least fifteen countries. Organizations running Ivanti Connect Secure must apply emergency patches immediately and conduct forensic analysis to detect compromise indicators.
Fact-checked and reviewed — Kodi C.
A coordinated exploitation campaign targeting Ivanti Connect Secure VPN appliances has triggered the first CISA Emergency Directive of 2026. Two previously unknown vulnerabilities — a stack-based buffer overflow in the web management interface and an authentication bypass in the SAML module — are being chained together by a sophisticated threat group to gain persistent root-level access to enterprise networks. The campaign has been active since at least mid-December 2025, meaning many organizations were compromised weeks before public disclosure. The scale and severity of this campaign demand immediate action from every organization running affected appliances.
Technical analysis
CVE-2026-0867 is a stack-based buffer overflow in the Connect Secure web management interface. Specially crafted HTTPS requests to the management endpoint trigger the overflow in the authentication-processing component, enabling unauthenticated remote code execution with root privileges. No valid credentials or prior access is required — any attacker who can reach the management interface over the network can exploit the flaw.
CVE-2026-0868 is an authentication bypass in the SAML single-sign-on module. It allows an attacker to forge valid authentication tokens and establish VPN sessions without possessing valid user credentials. On its own this vulnerability provides unauthorized network access; combined with CVE-2026-0867 it enables a complete attack chain from initial access through the management plane to persistent internal network presence via the VPN data plane.
The exploitation sequence observed in the wild proceeds in stages. First, the attacker exploits CVE-2026-0867 to execute arbitrary commands on the appliance. A lightweight web shell is deployed within seconds, providing interactive command execution through the existing HTTPS service. The attacker then modifies the appliance's firmware partition — not just the software partition — to install a persistent backdoor that survives both reboots and standard software updates. This firmware-level persistence is the campaign's most dangerous characteristic because it means patching the application software alone does not eradicate the threat.
Internet-facing scans identify over 30,000 Ivanti Connect Secure appliances exposed to the public internet globally. A subset of these expose the management interface, creating the initial attack surface. Even organizations that restrict management access to internal networks are not immune if their internal networks have already been compromised through other means, but internet-exposed management interfaces represent the primary and most urgent risk.
Threat actor attribution and targeting
Mandiant, Microsoft Threat Intelligence, and the UK's National Cyber Security Centre attribute the campaign to a Chinese state-sponsored group tracked as UNC5337 by Mandiant and Volt Typhoon–adjacent by other vendors. The group has a documented history of targeting network-edge appliances — routers, VPN concentrators, and firewalls — for initial access to high-value networks. Previous campaigns targeted Citrix NetScaler, Fortinet FortiOS, and earlier Ivanti vulnerabilities in 2023 and 2024.
Confirmed targets span at least fifteen countries and include U.S. federal civilian agencies, defense-ministry networks in three NATO member states, major telecommunications operators in Southeast Asia, and critical-infrastructure operators in the energy and water sectors. The breadth of targeting indicates strategic intelligence-collection objectives rather than financially motivated cybercrime.
Post-exploitation tradecraft is disciplined and stealthy. The attackers use living-off-the-land techniques — using legitimate system tools rather than dropping conspicuous malware — to conduct Active Directory reconnaissance, harvest credentials, and move laterally to domain controllers. Data exfiltration is routed through encrypted tunnels to legitimate cloud-storage services, blending with normal business traffic. Forensic timestamps on compromised appliances have been deliberately altered to impede investigation timelines.
The pre-disclosure exploitation window — estimated at five to six weeks — means that many organizations were compromised before any public indicator of compromise was available. This window highlights the asymmetric advantage that zero-day capabilities confer on well-resourced threat actors and highlights the limitations of reactive, patch-based security strategies for network-edge infrastructure.
Emergency directives and mitigation guidance
CISA's Emergency Directive 26-02 mandates that all U.S. federal civilian agencies apply Ivanti's emergency patches within 48 hours and complete forensic analysis of affected appliances within 72 hours. Agencies must also run Ivanti's enhanced Integrity Checker Tool (ICT) in its most thorough mode and report results to CISA. The directive explicitly states that patching alone is insufficient — forensic verification is required because the firmware-level persistence mechanism survives software updates.
For organizations that cannot patch immediately, Ivanti has released XML configuration mitigations that disable the vulnerable SAML module and restrict management-interface access to a specified allowlist of IP addresses. These mitigations reduce the attack surface but do not address the underlying vulnerabilities and should be treated as stopgap measures. Organizations implementing mitigations rather than patches must accelerate their patching timeline and accept elevated residual risk.
Five Eyes partner agencies — the NCSC (UK), ACSC (Australia), CCCS (Canada), and NCSC-NZ (New Zealand) — have issued coordinated advisories containing detection signatures, YARA rules for web-shell identification, and network indicators of compromise. The advisories recommend monitoring for unusual process creation on VPN appliances, outbound connections to known command-and-control infrastructure, and modifications to system files in the firmware partition.
Network-level detection should focus on anomalous VPN session patterns: sessions originating from IP addresses inconsistent with the organization's normal user population, sessions with unusual duration or data-transfer volumes, and authentication events for accounts not typically associated with VPN access. SIEM correlation rules that flag these patterns against the published indicators provide the strongest detection capability short of full forensic examination.
Forensic investigation procedures
Every organization running Ivanti Connect Secure should conduct forensic analysis regardless of whether indicators of compromise have been observed. The campaign's stealth techniques mean that compromised appliances may show no anomalies through routine monitoring. Forensic analysis should examine the appliance filesystem for unauthorized modifications, compare running firmware against known-good baselines, review authentication logs for anomalous patterns, and analyze network-traffic records for exfiltration indicators.
Ivanti's enhanced ICT performs cryptographic validation of filesystem contents against vendor-signed baselines. It detects the specific persistence mechanisms used by UNC5337 and flags modifications to the firmware partition that would not appear in standard software-integrity checks. Organizations should run the ICT before and after patching to capture both pre-existing compromise and any modifications introduced during the patch-application process.
Memory forensics can reveal malware that operates entirely in volatile memory without touching the filesystem. The custom implant deployed by UNC5337 includes memory-resident components that intercept authentication traffic and exfiltrate credentials in real time. Specialized memory-acquisition tools for the Ivanti platform are available through Mandiant and CrowdStrike incident-response engagements.
If compromise is confirmed, the response must extend well beyond the VPN appliance itself. Credential rotation is necessary for every account that has authenticated through the compromised infrastructure. Active Directory should be audited for unauthorized persistence mechanisms such as golden-ticket attacks, rogue service-principal names, and modified group-policy objects. Network segmentation should be tightened to contain any secondary access the attacker may have established through lateral movement.
Architectural lessons and zero-trust implications
This campaign reinforces a structural lesson that the security community has been articulating for years: concentrating network trust in edge appliances creates catastrophic single points of failure. A compromised VPN concentrator provides the attacker with the same broad network access that the appliance grants to legitimate users. When the appliance is the perimeter, compromising it is equivalent to bypassing the perimeter entirely.
Zero-trust network architecture addresses this weakness by eliminating the assumption that any single component — including the VPN — can be unconditionally trusted. Per-application access policies, continuous authentication, device-health verification, and micro-segmentation collectively limit the blast radius of any single compromise. The transition from perimeter VPN to zero-trust is a multi-year effort, but events like this campaign accelerate organizational commitment and budget allocation.
In the near term, organizations can reduce risk by segmenting the network zones reachable through VPN connections. Placing critical assets — domain controllers, financial systems, intellectual-property repositories — behind additional authentication gates ensures that compromised VPN credentials alone are insufficient to reach the most sensitive resources. Privileged-access workstations and jump servers for administrative tasks provide further containment.
Procurement teams should incorporate vendor security track records into appliance selection decisions. The recurring pattern of critical zero-day vulnerabilities in VPN products from multiple vendors suggests systemic quality challenges in this product category. Vendor commitments to secure-by-design principles, rapid patch delivery, and transparent vulnerability disclosure should carry significant weight in procurement evaluations alongside feature comparisons and pricing.
Recommended immediate actions
Apply Ivanti emergency patches to all Connect Secure appliances within the next 48 hours. If patching is not immediately feasible, implement the XML configuration mitigations and restrict management-interface access to a strict IP allowlist. Prioritize appliances with internet-exposed management interfaces.
Run the Ivanti ICT on every appliance and engage incident-response support immediately if any anomaly is detected. Do not assume that absence of known IOCs means absence of compromise — the attackers have demonstrated the ability to operate below the detection threshold of standard monitoring tools.
Implement enhanced monitoring on all network segments reachable through Ivanti VPN infrastructure. Focus on credential-use anomalies, lateral-movement indicators, and data-exfiltration patterns. Update SIEM rules with the published IOCs from the Five Eyes advisories.
Begin planning for longer-term architectural improvements that reduce organizational dependence on VPN-appliance integrity. Evaluate zero-trust access solutions, network segmentation enhancements, and privileged-access management tools as priority investments for the current budget cycle.
What to expect
The Ivanti Connect Secure campaign is the most significant VPN-appliance exploitation event since the Fortinet FortiOS campaigns of 2024. It demonstrates that state-sponsored actors continue to invest heavily in zero-day capabilities targeting network-edge infrastructure and that the operational window between exploitation and disclosure can extend for weeks, leaving defenders in a reactive posture.
For CISOs, the immediate priority is tactical: patch, verify, and hunt. But the strategic takeaway is equally important. Every organization that relies on a VPN concentrator as its primary remote-access mechanism should be accelerating its zero-trust roadmap. The question is not whether another VPN zero-day will emerge — it is when, and whether the organization's architecture limits the damage when it does.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook
Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
-
Network Security Fundamentals Explained Practically
A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…
-
Small Business Cybersecurity Survival Checklist
A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…
Coverage intelligence
- Published
- Coverage pillar
- Cybersecurity
- Source credibility
- 95/100 — high confidence
- Topics
- Ivanti Connect Secure · Zero-Day Vulnerabilities · VPN Security · State-Sponsored Threats · CISA Advisory · Incident Response
- Sources cited
- 3 sources (cisa.gov, forums.ivanti.com, mandiant.com)
- Reading time
- 8 min
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.