Ivanti's Infinite Loop: When Your VPN Becomes an Open Door
Back to Blog
Incident Analysis
Apr 13, 20265 min read

Ivanti's Infinite Loop: When Your VPN Becomes an Open Door

S
Shubham Singla

If you’re running Ivanti Connect Secure or Policy Secure VPNs, you’ve probably spent the last few weeks in a cold sweat. What started as a couple of nasty zero-days escalated into a full-blown crisis, with attackers practically waltzing into corporate networks. It’s a masterclass in how *not* to secure your network edge, and frankly, it’s infuriating.

Ivanti Connect Secure Exploitation

The Initial Gut Punch: Auth Bypass and RCE

Remember January? Simpler times, right? Then Ivanti dropped a bombshell: CVE-2023-46805, an authentication bypass, and CVE-2024-21887, a command injection. Chained together, these were a golden ticket. An unauthenticated attacker could execute arbitrary commands on the appliance. Think about that for a second. Your VPN, the digital bouncer guarding your corporate party, suddenly had a side door that anyone could open and then, once inside, command the DJ to play whatever terrible music they wanted.

This wasn't just theoretical. APT groups, notably the China-linked UNC5221 (aka Volt Typhoon), were already having a field day. They didn't wait for patches. They were probably debugging the exploits while Ivanti was still writing the advisories. It's like releasing a patch for a critical bug only to find out the bad guys already built a whole CI/CD pipeline around exploiting it.

GET /api/v1/auth/authenticate?admin_user=foo%26command_injection_payload HTTP/1.1 Host: your-ivanti-vpn.com

That's a simplified view, of course, but it illustrates the core issue: the web component had insufficient input validation and an exposed API endpoint. The authentication bypass (CVE-2023-46805) allowed access to restricted resources, which then exposed the command injection (CVE-2024-21887) in a different component. Game over, man. Game over.

The Whack-A-Mole Continues: More Patches, More Problems

You'd think after the initial wave, things would calm down. Nope. Ivanti released patches. And then, surprise, more vulnerabilities surfaced. We saw CVE-2024-21888 (privilege escalation) and CVE-2024-21893 (server-side request forgery). The SSRF, in particular, was spicy, allowing attackers to access internal network resources. Basically, once you're on the appliance, you can start poking around at other internal systems the VPN has access to. It’s like breaking into a house and finding a map of all the neighbors' houses, complete with spare key locations.

Then came the mid-February update with CVE-2024-22024 (an XML external entity — XXE — vulnerability), and two more RCEs, CVE-2024-21894 and CVE-2024-22052, which could again be exploited by unauthenticated users. This wasn't just a misstep; it was a systemic failure. Each patch seemed to reveal another gaping hole, making administrators question if they were patching vulnerabilities or just applying security theater.

Attack pipeline for Ivanti vulnerabilities

The pattern here is critical: a security device, designed to be the bastion of your network, became a series of stepping stones for attackers. The sheer number and severity of these vulnerabilities highlight a deeper problem with the development and security testing lifecycle of such critical appliances.

“A security device, designed to be the bastion of your network, became a series of stepping stones for attackers.”

The APT Playbook: What Attackers Did Next

Once inside, threat actors didn't just sit there admiring their work. UNC5221 and others swiftly moved to establish persistence and exfiltrate data. Their methods include:

  • Webshells: Dropping custom webshells (like 'GLASSTOKEN' and 'LIGHTWIRE') for remote access (MITRE ATT&CK T1505.003 - Server Software Component: Web Shell).
  • Backdoors: Deploying sophisticated custom backdoors, often disguised as legitimate services or binaries.
  • Credential Dumping: Extracting credentials from the compromised appliance itself or leveraging its access to other internal systems (MITRE ATT&CK T1003.003 - OS Credential Dumping: SAM file).
  • Lateral Movement: Using the VPN appliance as a pivot point to move deeper into the network.
  • Defense Evasion: Modifying firewall rules or disabling security features (MITRE ATT&CK T1562.001 - Impair Defenses: Disable or Modify System Firewall).

They weren't just looking for quick wins; they were setting up long-term residency. This isn't a smash-and-grab; it's digital squatting, complete with re-routing your mail and changing the locks.

Beyond Ivanti: Lessons for Everyone

This saga isn't just about one vendor. It's a stark reminder that:

  1. Your Edge is Critical: VPNs, firewalls, and other perimeter devices are high-value targets. They need extreme scrutiny. Treat them like the crown jewels, because attackers certainly do.
  2. Trust, But Verify (and Then Verify Again): Don't blindly trust security vendors. Implement robust threat hunting and monitoring around these devices. Assume breach.
  3. Segmentation is Salvation: If your VPN is compromised, how much can an attacker see? Good network segmentation limits lateral movement. Your flat network is an attacker's playground.
  4. Out-of-Band Management: For critical devices, separate management networks are non-negotiable. Don't manage your firewall *through* the firewall it's supposed to protect.
  5. Rapid Patching isn't Enough: You need a robust incident response plan for when (not if) a critical device gets popped, even *after* patching.

Actionable Takeaways: What You Need To Do NOW

Enough lamenting. Here's what you should be doing if you haven't already:

  • Patch Immediately (and Verify): Ensure all Ivanti Connect Secure/Policy Secure appliances are running the absolute latest security updates. Then verify with Ivanti's Integrity Checker Tool. Don't just `apt update` and call it a day; check the logs.
  • Hunt for Compromise: Even if you patched quickly, assume compromise. Look for webshells, unusual processes, new user accounts, and suspicious outbound connections. Search for indicators of compromise (IOCs) provided by Ivanti and CISA.
  • Strengthen Authentication: Enforce strong multi-factor authentication (MFA) everywhere possible, especially for VPN access and administrative interfaces.
  • Segment Your Network: Review your network architecture. Can an attacker on a compromised VPN appliance reach your critical internal resources directly? Implement micro-segmentation.
  • Monitor Out-of-Band: Ensure you have separate, secured monitoring for your VPN appliances. Log everything, send it to a SIEM, and actually *look* at it. Pay attention to authentication logs, process creation, and network connections from the appliance itself.
  • Have a Plan B: What happens if your primary VPN solution goes down or is compromised again? Have an alternative ready, or at least a clear process for cutting off access without crippling your business.

The Ivanti saga is a harsh lesson in relying on a single point of failure. Don't let your organization be the next case study.