In recent months, a significant surge in cyber reconnaissance activities has been directed at Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems. This uptick suggests a coordinated effort by threat actors to identify and exploit vulnerabilities within these widely used enterprise solutions.
Unprecedented Scanning Activity
Security monitoring services have reported an alarming increase in scanning activities targeting ICS and IPS endpoints. Notably, over 230 unique IP addresses probed these systems in a single day—a ninefold increase from the typical daily average of fewer than 30 unique IPs. Over the past 90 days, a total of 1,004 unique IPs have been observed conducting similar scans, categorized as follows:
– 634 Suspicious
– 244 Malicious
– 126 Benign
These findings indicate that attackers are utilizing actual, traceable infrastructure, as none of the observed IPs were spoofable. The primary sources of this scanning activity are the United States, Germany, and the Netherlands, with organizations in these countries being the main targets. Malicious IPs are predominantly associated with Tor exit nodes and well-known cloud or VPS providers, while suspicious IPs often link to lesser-known hosting services and niche cloud infrastructures.
Critical Vulnerability: CVE-2025-22457
This surge in scanning coincides with heightened attention to CVE-2025-22457, a critical stack-based buffer overflow vulnerability affecting:
– Ivanti Connect Secure versions 22.7R2.5 and earlier
– Pulse Connect Secure 9.x (now end-of-support)
– Ivanti Policy Secure
– Neurons for ZTA gateways
Initially underestimated, CVE-2025-22457 was later found to enable unauthenticated remote code execution (RCE), allowing attackers to run arbitrary code on vulnerable appliances. A patch for this vulnerability was released on February 11, 2025 (ICS version 22.7R2.6), but many legacy devices remain unpatched and exposed. Exploitation in the wild has been confirmed, with advanced persistent threat (APT) groups such as UNC5221 reverse-engineering the patch to develop working exploits.
Historical Context and Previous Exploitations
The current wave of reconnaissance is not an isolated incident. Historically, spikes in scanning activity often precede the public disclosure or mass exploitation of new vulnerabilities. For instance, in early January 2025, Ivanti disclosed two zero-day vulnerabilities—CVE-2025-0282 and CVE-2025-0283—that were actively exploited by suspected Chinese hackers. These vulnerabilities allowed remote attackers to execute arbitrary commands on targeted gateways, leading to significant security breaches.
Furthermore, in February 2025, Ivanti released patches for three critical flaws in Connect Secure and Policy Secure products, including CVE-2025-22467, a stack-based buffer overflow that allowed remote authenticated attackers with low privileges to execute code. Despite these patches, many systems remained vulnerable due to delayed updates, leading to further exploitation.
Implications for Enterprise Security
Ivanti Connect Secure VPNs are widely deployed for enterprise remote access, making them high-value targets for cybercriminals and nation-state actors. The observed spike in scanning is a clear warning: attackers are actively seeking to exploit unpatched Ivanti Connect Secure systems. Proactive defense and rapid patching are essential to prevent compromise.
Defensive Recommendations
To mitigate risk, organizations should:
– Immediate Patching: Update all ICS/IPS systems to the latest versions (ICS 22.7R2.6 or later) to address known vulnerabilities.
– Log Review: Examine logs for suspicious probes and login attempts from new or untrusted IPs to detect potential reconnaissance or intrusion attempts.
– IP Blocking: Block known malicious or suspicious IPs identified by threat intelligence feeds to prevent unauthorized access.
– Authentication Monitoring: Monitor for unusual authentication activity, especially from Tor or cloud-hosted IPs, which may indicate malicious intent.
– Integrity Checks: Utilize Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise and ensure system integrity.
Security teams must remain vigilant, as the current reconnaissance efforts may indicate that attackers are mapping vulnerable systems in preparation for large-scale attacks, ransomware campaigns, or data breaches. Proactive defense measures and timely patching are crucial to safeguarding enterprise networks against these evolving threats.
