New Cyber Attacks Target Ivanti Connect Secure VPN Vulnerabilities

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 17, 2025 2 min read

Cybersecurity Threats and Vulnerabilities

Ivanti Connect Secure VPN Exploitations

In January 2025, Ivanti disclosed critical vulnerabilities in the Ivanti Connect Secure VPN, specifically CVE-2025-0282 and CVE-2025-0283. These vulnerabilities, which include an unauthenticated stack-based buffer overflow, have been actively exploited in the wild since mid-December 2024. The successful exploitation of these vulnerabilities permits remote code execution, potentially leading to the compromise of an entire network.

Mandiant has identified UNC5221 as a suspected China-nexus espionage actor linked to these incidents. They previously exploited vulnerabilities such as CVE-2023-46805 and CVE-2024-21887 to gain unauthorized access.

Immediate actions recommended by Ivanti include the use of their Integrity Checker Tool (ICT) and contacting support if suspicious activity is detected.

External ICT Scan - Successful
Image courtesy of Google Cloud Blog

Threat Actors Exploiting Multiple Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint advisory in response to exploitation of vulnerabilities in Ivanti Cloud Service Appliances (CSA). The vulnerabilities include CVE-2024-8963, an administrative bypass, and CVE-2024-9379, a SQL injection vulnerability. Threat actors have exploited these vulnerabilities to gain access, execute remote code, and implant web shells.

Ivanti CSA versions 4.6x prior to 519 are affected, and organizations are urged to upgrade to the latest supported versions. Threat actors have utilized chains of vulnerabilities, exploiting these weaknesses to conduct malicious activities, including lateral movement within networks.

Cyber Attack Trends

Recent reports indicate a rise in sophisticated cyber attacks. Notable trends include:

  • Investment Scams: A wave of online investment scams is leveraging fake news outlets to trick users.
  • Malware Attacks: The use of APK malware for remote command execution has been observed through extensive domain exploitation.
  • WordPress Exploits: Hackers are exploiting vulnerabilities in WordPress sites to redirect users to malicious websites.

Organizations are advised to remain vigilant and utilize security products that can break these attack sequences and facilitate threat hunting.

Notable Cybersecurity Alerts

  1. C-DATA Web Management System RCE Attack: This attack targets a vulnerability in the C-DATA system, allowing remote code execution. Read more here.

  2. Akira Ransomware: This ransomware targets small to medium-sized businesses, employing tactics like Ransomware-as-a-Service. Details can be found here.

  3. PAN-OS GlobalProtect Command Injection Vulnerability: This critical vulnerability allows unauthenticated OS command injection on PAN-OS devices. Learn more.

  4. ConnectWise ScreenConnect Attack: Critical flaws in remote management software ScreenConnect have been exploited for malicious purposes. Read the full report.

Organizations should adopt proactive measures to assess their cybersecurity postures and invest in robust security solutions to combat these increasing threats. For tailored solutions, consider exploring the offerings of undefined.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article