Connect with us

Hi, what are you looking for?


Malware & Threats

Government, Military Targeted as Widespread Exploitation of Ivanti Zero-Days Begins

The recently disclosed Ivanti VPN zero-days have been exploited to hack at least 1,700 devices, including government, telecoms, defense, and tech.

Ivanti zero-day

Threat intelligence and incident response firm Volexity has started seeing widespread exploitation of the recently disclosed Ivanti Connect Secure VPN appliance vulnerabilities.

Volexity warned on January 10 that it had seen threat actors — a group tracked as UTA0178 and likely linked to China — exploiting two Ivanti VPN zero-day vulnerabilities in an attempt to gain access to internal networks and steal information.

The vulnerabilities are an authentication bypass flaw tracked as CVE-2023-46805 and a command injection issue tracked as CVE-2024-21887. Chaining the two enables a remote, unauthenticated attacker to execute arbitrary commands on the targeted appliance. 

While initially the attacks were highly targeted, widespread exploitation appears to have now begun. Volexity scanned roughly 50,000 IPs associated with Ivanti VPN appliances and found that more than 1,700 were compromised.

The hacked devices belong to organizations in the government, military, telecoms, defense, tech, banking, finance, accounting, consulting, aerospace, aviation and engineering sectors. They include small businesses and Fortune 500 companies. 

Victims were seen all around the world, but the highest percentage appears to be in the United States, followed by Europe. 

Volexity noted that the actual number of compromised systems is likely higher than what its scans discovered. 

“Volexity assesses with medium confidence that this widespread exploitation was undertaken by UTA0178. This assessment is based on the use of an identical webshell to that used in the previous exploitation, and the speed at which it was undertaken following publication of details relating to the exploit,” the cybersecurity firm said.

While UTA0178 seems to be behind many attacks, other threat actors are also trying to exploit the Ivanti product vulnerabilities, including one tracked by Volexity as UTA0188. 

Advertisement. Scroll to continue reading.

Some exploitation attempts are likely the work of the cybersecurity community. Researcher Kevin Beaumont, who has dubbed the Ivanti vulnerabilities ConnectAround, has also been conducting scans

Ivanti made available mitigations on January 10, but patches are only expected to become available starting the week of January 22. 

Mandiant has also analyzed the attacks involving exploitation of CVE-2023-46805 and CVE-2024-21887, linking them to a cyberspy group it tracks as UNC5221.

The company has identified five malware families deployed by the hackers, including webshells, droppers, backdoors and information stealers named ThinSpool, LightWire, WireFire, WarpWire and ZipLine. Mandiant saw indications that the hackers had taken steps to maintain access to high-value systems even after the release of patches by Ivanti. 

Related: Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks

Related: Exploitation of Ivanti Sentry Zero-Day Confirmed

Related: Ivanti Ships Urgent Patch for API Authentication Bypass Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.