Last updated: April 26, 2026
Ivanti Connect Secure (formerly Pulse Secure VPN) had a sequence of critical CVEs starting January 2024 — CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) — chainable for unauthenticated remote code execution. Mass-exploited within hours of disclosure, with nation-state and ransomware actors competing for foothold. This article covers the vulnerability chain, the IoCs, and the broader pattern of edge-VPN exploitation in 2024-2026.
The vulnerability chain
Two CVEs combined for pre-auth RCE:
- CVE-2023-46805 — authentication bypass in the web component, allowing access to authenticated-only endpoints without credentials
- CVE-2024-21887 — command injection in an authenticated endpoint
Combined: unauth → command injection → root shell on the VPN appliance.
Why VPN concentrators are the prize
VPN appliances live at the perimeter and have:
- Network access to internal corporate ranges
- Knowledge of authenticated user identities
- Often domain-joined identities themselves with AD privileges
- Customer / partner credential cache from VPN sessions
Compromise = pivot directly into corporate network plus credential harvest. The attacker doesn’t need to phish anyone.
The mass-exploitation timeline
- Day 0 (10 January 2024): Ivanti published advisory + workaround (no patch yet). Exploitation already in progress.
- Day 0-3: Volexity, Mandiant, others publish IoCs and threat-actor analysis. Mass scanning by attackers.
- Day 5: Mandiant publishes evidence of UNC5221 (China-aligned) using the chain since December 2023.
- Day 10: Patches released by Ivanti.
- Day 14-30: Cl0p, ALPHV, and other ransomware operations rolling exploitation against unpatched instances.
- Day 30+: Long tail of unpatched, including some with webshells and persistence already established.
By the time many organisations applied workarounds, they were already compromised. Patching alone wasn’t enough — IoC hunting and rebuild was the actual remediation.
IoCs and detection
- Webshells in
/data/runtime/cockpit— file types including .cgi and obfuscated Perl scripts - HTTP requests to
/api/v1/totp/user-backup-codewith manipulated path traversal - Outbound DNS or HTTPS to known C2 domains
- Anomalous internal-network scanning originating from VPN concentrator IP
- VPN session logs with unusual user agents or impossible-travel patterns
Ivanti published an Integrity Checker Tool (ICT) that scanned for known compromise indicators. Early versions had false negatives; later versions improved. Defender’s job was to run the ICT, IoC-hunt, and assume breach if any indicator matched.
Mitigation steps (lessons-learned playbook)
- Apply Ivanti workarounds immediately upon advisory.
- Run ICT and document findings.
- If any IoC matched, treat as breach — disconnect appliance, rebuild from scratch, rotate all credentials in scope.
- Apply patches once available.
- Force VPN re-authentication for all users; rotate any cached secrets.
- Hunt internal network for post-exploit activity.
- Notify regulators per CERT-In / RBI / DPDP timelines.
The 2026 perspective on edge-VPN
- Cisco Anyconnect, Fortinet FortiGate, F5 BIG-IP, Citrix NetScaler, Palo Alto GlobalProtect, Ivanti Connect Secure — every major brand has produced critical CVEs in the last 24 months
- The pattern is structural: edge devices have high privilege, internet exposure, and slower-than-necessary patching
- The strategic shift: ZTNA replacing legacy VPN. Cloudflare Access, Zscaler ZPA, Tailscale, AWS Verified Access — these reduce the per-device attack surface
Compliance angle
- RBI Cyber Framework — edge device patching SLA explicit
- CERT-In April 2022 — VPN attacks reportable within 6 hours
- SEBI CSCRF — Q-RE / MII edge-device hygiene expected
The takeaway
Ivanti’s 2024 chain was not the last edge-VPN compromise; it was an entry in a continuing series. If you operate edge VPN, your defensive posture must assume zero-day-equivalent threats every quarter. ZTNA migration removes the bug class for new deployments. For existing VPN, 7-day patch SLA, IoC hunting playbook, and rebuild-on-suspicion are the operational discipline.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.