{
	"id": "04de971d-31a5-489d-84ba-94e21db21c73",
	"created_at": "2026-04-06T00:12:02.905162Z",
	"updated_at": "2026-04-10T13:12:30.888964Z",
	"deleted_at": null,
	"sha1_hash": "c4e8d593d698433d16a8d472c9adc0dbb4d0ecf2",
	"title": "Ivanti Connect Secure VPN Exploitation Goes Global",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 926459,
	"plain_text": "Ivanti Connect Secure VPN Exploitation Goes Global\r\nBy mindgrub\r\nPublished: 2024-01-15 · Archived: 2026-04-05 13:50:53 UTC\r\nImportant: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then\r\nplease do that immediately! Organizations should immediately review the results of the built-in Integrity Check\r\nTool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in\r\nIntegrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully\r\ndetecting the compromises described in this post across impacted organizations. Last week, Ivanti also released\r\nan updated version of the external Integrity Checker Tool that can be further used to check and verify systems.\r\nOn January 10, 2024, Volexity publicly shared details of targeted attacks by UTA0178 exploiting two zero-day\r\nvulnerabilities (CVE-2024-21887 and CVE-2023-46805) in Ivanti Connect Secure (ICS) VPN appliances. On the\r\nsame day, Ivanti published a mitigation that could be applied to ICS VPN appliances to prevent exploitation of\r\nthese vulnerabilities.\r\nNote: It should once again be reiterated that the mitigation does not remedy an active or past\r\ncompromise. While it is critical that organizations apply this mitigation, it is just as important that they\r\nlook for signs their ICS VPN appliance has already been compromised and take action if evidence is\r\nfound.\r\nSince publication of these details, Volexity has continued to monitor its existing customers for exploitation.\r\nVolexity has also been contacted by multiple organizations that saw signs of compromise by way of mismatched\r\nhttps://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/\r\nPage 1 of 4\n\nfile detections. Volexity has been actively working multiple new cases of organizations with compromised ICS\r\nVPN appliances.\r\nSimultaneously, Volexity also developed a way to scan devices to look for signs of compromise. As result,\r\nVolexity has observed two new major findings related to this ongoing activity:\r\nExploitation of these vulnerabilities is now widespread. Volexity has been able to find evidence of\r\ncompromise of over 1,700 devices worldwide.\r\nAdditional threat actors beyond UTA0178 appear to now have access to the exploit and are actively trying\r\nto exploit devices.\r\nTimeline of Findings\r\nThe timeline of findings from earliest observed exploitation to ongoing activity at the time of writing is below:\r\n2023-12-03 | Earliest exploitation observed by Volexity.\r\n2024-01-10 | Volexity reports details of observed exploitation of CVE-2024-21887 \u0026 CVE-2023-46805.\r\n2024-01-11 | Volexity discovers evidence that UTA0178 attempts mass exploitation.\r\n2024-01-11 | Mandiant reports on their own observations.\r\n2024-01-15 | Volexity discloses evidence of mass exploitation and the suspected compromise of at least\r\n1,700 ICS devices.\r\nVictims are globally distributed and vary greatly in size, from small businesses to some of the largest\r\norganizations in the world, including multiple Fortune 500 companies across multiple industry verticals, including\r\nthe following:\r\nGlobal government and military departments\r\nNational telecommunications companies\r\nDefense contractors\r\nTechnology\r\nBanking, Finance, and Accounting\r\nWorldwide consulting\r\nAerospace, Aviation, and Engineering\r\nWidespread Exploitation\r\nAs described on January 10, 2024, Volexity had conducted scans using a method that only uncovered a single\r\nvictim organization. Based on those findings, Volexity’s customer visibility, and input from Ivanti, it had been\r\nconcluded that exploitation of the vulnerability chain had been limited to just a few organizations.\r\nHowever, on January 11, 2024, Volexity began to detect evidence of widespread scanning by someone apparently\r\nfamiliar with the vulnerabilities. Volexity observed various file paths, that are not publicly known, being requested\r\nvia logs from its customer ICS VPN appliances. It was not clear if this was the work of attackers or security\r\nresearchers. However, on the same day, Volexity also received reports from multiple organizations that they had\r\nreceived reports of mismatched files from their ICS VPN logs. Further, some of these organizations shared past\r\nhttps://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/\r\nPage 2 of 4\n\nresults from the built-in integrity scan that did not show signs of mismatched files until January 11, 2024. Volexity\r\nwas simultaneously engaged to investigate similar activity with other customers and found multiple devices had\r\nsimilarly been compromised starting on January 11, 2024.\r\nInvestigations of newly found compromised devices showed they had been backdoored with a slightly different\r\nvariant of the GIFTEDVISITOR webshell documented in the “visits.py modification – GIFTEDVISITOR” section\r\nof Volexity’s recent blog post. The attacker used an identical webshell to that observed in the first incident\r\ninvestigated by Volexity, but they replaced the AES key used with a truncated UUID string. This AES key format\r\ndiffered from the one initially discovered, which simply had the value 1234567812345678 . Volexity’s analysis of\r\nmultiple devices shows that a unique AES key has likely been employed on each victim system as part of the\r\nwidespread compromise.\r\nVolexity was able to develop a new method of scanning for evidence that GIFTEDVISITOR was present on ICS\r\nVPN appliances. Volexity then scanned roughly 30,000 ICS IP addresses. On Sunday, January 14, 2024, Volexity\r\nhad identified over 1,700 ICS VPN appliances that were compromised with the GIFTEDVISITOR webshell.\r\nThese appliances appear to have been indiscriminately targeted, with victims all over the world. A summary of the\r\ninfected appliances’ geography can be seen below.\r\nVolexity assesses with medium confidence that this widespread exploitation was undertaken by UTA0178. This\r\nassessment is based on the use of an identical webshell to that used in the previous exploitation, and the speed at\r\nwhich it was undertaken following publication of details relating to the exploit. Widespread exploitation began\r\ntaking place January 11, 2024 and continues.\r\nEvidence of Exploit Proliferation\r\nhttps://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/\r\nPage 3 of 4\n\nIn addition to the discovery of widespread exploitation undertaken by UTA0178, analysis of logs from various\r\nICS VPN appliances showed likely attempted exploitation by other threat actors, with noticeably poorer\r\noperational security than UTA0178. While devices without the mitigation did not correctly log exploit-related\r\nrequests, those with the mitigation correctly log attempted exploitation. Based on analysis of these logs, nearly\r\ntwo dozen IP addresses attempted exploitation using the correct URI pattern or similar URI patterns required for\r\nexploitation, with no documentation of this URI pattern in the public domain. These IP addresses appear to be a\r\nmix of private VPS instances and compromised network appliances (although no Cyberoam devices have been\r\nobserved).\r\nVolexity has also observed suspected exploitation attempt from another threat actor that it tracks as UTA0188.\r\nThis threat actor was observed in the logs of an ICS VPN that was patched. Additional details related to this threat\r\nactor, their infrastructure, and other observed targeting were provided to Volexity Threat Intelligence customers in\r\nTIB-20240115.\r\nConclusion\r\nVolexity has identified widespread exploitation of chained vulnerabilities CVE-2024-21887 and CVE-2023-\r\n46805. This exploitation has affected thousands of machines and may have infected many more. Volexity’s scan\r\nmethodology would not have worked against organizations that have already deployed the Ivanti mitigation or had\r\notherwise been taken offline. As a result, Volexity suspects there may likely be a higher number of compromised\r\norganizations than identified through scanning (which totaled more than 1,700). There was likely a period in\r\nwhich UTA0178 could have actioned these compromises before the mitigation was applied.\r\nFurthermore, Volexity has identified that additional attackers beyond UTA0178 appear to have access to the\r\nexploit. Volexity recommends that organizations running ICS VPN perform the following:\r\nApply the mitigation provided by Ivanti.\r\nRun the Integrity Checker Tool provided by Ivanti.\r\nIn the event of a hit for the Integrity Checker Tool, follow the steps in the “Responding to Compromise”\r\nsection of Volexity’s previous blog post.\r\nWhere Volexity has a known contact, national CERTs have been contacted in order to notify them of\r\nvictims in their constituency. If you are a national CERT, and you have not received a message from\r\nVolexity but would like a list of affected IP addresses in your country, please contact\r\nthreatintel@volexity.com.\r\nSource: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/\r\nhttps://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/"
	],
	"report_names": [
		"ivanti-connect-secure-vpn-exploitation-goes-global"
	],
	"threat_actors": [
		{
			"id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8",
			"created_at": "2024-01-18T02:02:34.643994Z",
			"updated_at": "2026-04-10T02:00:04.959645Z",
			"deleted_at": null,
			"main_name": "UNC5221",
			"aliases": [
				"UNC5221",
				"UTA0178"
			],
			"source_name": "ETDA:UNC5221",
			"tools": [
				"BRICKSTORM",
				"GIFTEDVISITOR",
				"GLASSTOKEN",
				"LIGHTWIRE",
				"PySoxy",
				"THINSPOOL",
				"WARPWIRE",
				"WIREFIRE",
				"ZIPLINE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9",
			"created_at": "2024-01-12T02:00:04.33082Z",
			"updated_at": "2026-04-10T02:00:03.517264Z",
			"deleted_at": null,
			"main_name": "UTA0178",
			"aliases": [
				"UNC5221",
				"Red Dev 61"
			],
			"source_name": "MISPGALAXY:UTA0178",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434322,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4e8d593d698433d16a8d472c9adc0dbb4d0ecf2.pdf",
		"text": "https://archive.orkl.eu/c4e8d593d698433d16a8d472c9adc0dbb4d0ecf2.txt",
		"img": "https://archive.orkl.eu/c4e8d593d698433d16a8d472c9adc0dbb4d0ecf2.jpg"
	}
}