Security News > 2024 > January > Number of orgs compromised via Ivanti VPN zero-days grows as Mandiant weighs in
Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team.
The software biz disclosed the vulnerabilities in Ivanti Connect Secure - the VPN server appliance previously known as Pulse Connect Secure - and its Policy Secure gateways on Wednesday.
A spokesperson for Ivanti told The Register the victim count was "Less than 10." It has since increased.
Mandiant is working with Ivanti to help clean up the mess, and on Friday weighed in with its own initial analysis, promising to add more details as its investigation into the matter continues.
In looking into the attacks, Mandiant saw that UNC5221 primarily used hijacked end-of-life Cyberoam VPN appliances as command-and-control servers in its attacks on Ivanti customers.
The threat hunters have identified five custom malware families used by UNC5221 after it infiltrates a target via the Ivanti flaws.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/13/ivanti_zeroday_mandiant_analysis/
Related news
- Zero-Day Vulnerability in Ivanti VPN (source)
- Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282) (source)
- Ivanti warns of new Connect Secure flaw used in zero-day attacks (source)
- Ivanti Connect Secure zero-day exploited since mid-December (CVE-2025-0282) (source)
- Zero-day exploits plague Ivanti Connect Secure appliances for second year running (source)
- Ivanti zero-day attacks infected devices with custom malware (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
- Nominet probes network intrusion linked to Ivanti zero-day exploit (source)
- UK domain registry Nominet confirms breach via Ivanti zero-day (source)
- UK domain registry Nominet breached via Ivanti zero-day (source)