Critical Ivanti Connect Secure Zero-Day Exploited in Mass Attacks
Another critical zero-day in Ivanti Connect Secure VPN appliances is being mass-exploited to deploy custom malware, with CISA issuing an emergency directive requiring federal agencies to disconnect affected devices.
CVE References
Affected
What happened: CISA issued an emergency directive in response to mass exploitation of a critical zero-day vulnerability in Ivanti Connect Secure VPN appliances. The vulnerability enables unauthenticated remote code execution through the appliance's web-based service. Multiple threat actors, including both nation-state groups and financially motivated attackers, are exploiting the flaw to deploy custom malware families. CISA's directive requires federal civilian agencies to disconnect Ivanti Connect Secure appliances from networks within 48 hours unless mitigations are verified.
Technical details: CVE-2025-47801 is a server-side template injection vulnerability in the Connect Secure web portal that allows unauthenticated remote code execution. Exploitation involves sending crafted requests to the appliance's authentication endpoint that inject malicious template code, which is evaluated server-side with root privileges. Observed post-exploitation activity includes deployment of persistent backdoors that survive factory resets by modifying the appliance's integrity checker itself, credential harvesting of all VPN sessions, and lateral movement into connected networks using stolen session tokens.
Who is affected: Organizations using Ivanti Connect Secure for remote access VPN, including federal agencies, defense contractors, healthcare organizations, and enterprises globally. The mass exploitation nature means any internet-facing Ivanti Connect Secure instance is at risk. The compromised appliance sits at the network perimeter and provides access to internal networks, making it an ideal pivot point.
What defenders should do: Follow CISA's emergency directive: disconnect Ivanti Connect Secure appliances unless mitigations are confirmed. Apply Ivanti's mitigation file and patches as soon as available. Run Ivanti's Integrity Checker Tool (ICT) but note that sophisticated attackers have been observed modifying ICT to hide indicators. Perform a factory reset and rebuild from a known-good image rather than patching in-place. Rotate all credentials and session tokens that transited the VPN appliance. Monitor for lateral movement from the VPN segment.
Broader implications: Ivanti Connect Secure has now had critical zero-day vulnerabilities exploited in mass attacks for three consecutive years (2023, 2024, 2025), establishing a pattern that raises fundamental questions about the product's security architecture. CISA's willingness to issue emergency directives requiring disconnection signals the severity and loss of confidence in the product's ability to be secured through patching alone. Many organizations are evaluating migration to alternative remote access solutions, including ZTNA (Zero Trust Network Access) platforms that eliminate the need for traditional VPN appliances.
Sources