A significant increase in suspicious scanning activity targeting Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems, signaling a potential coordinated reconnaissance effort by threat actors.\u00a0<\/p>\n
The spike, registering more than 230 unique IP addresses probing ICS\/IPS endpoints in a single day, represents a ninefold increase over the typical daily baseline of fewer than 30 unique IPs.<\/p>\n
Scanning Activity and Infrastructure<\/strong><\/h2>\nGreyNoise\u2019s monitoring systems flagged<\/a> this anomaly with their dedicated ICS scanner tag, which tracks IPs attempting to identify internet-accessible ICS\/IPS systems<\/a>.\u00a0<\/p>\nOver the past 90 days, a total of 1,004 unique IPs have been observed conducting similar scans, with classifications as follows:<\/p>\n
\n- 634 Suspicious<\/li>\n
- 244 Malicious<\/li>\n
- 126 Benign<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXc8yfT2K9G9t-mb0rJWbnAZ3KDphfQgtdjbqRJZVqJbu5A6G4BKPSkDyf0j0WXUAaM1PU2G9YkwighP-pjGR4kpHE7zEQ_172DFmjT8EWWKcMa8bGkhchdV3tMlg1k59lu_wGBgDg?key=0f1WU4p-KEJg6DBwUQmgnT4N\")
<\/figure>\nImportantly, none of these IPs were spoofable, indicating attackers leveraged actual, traceable infrastructure.<\/p>\n
The top three source countries for scanning activity are the United States, Germany, and the Netherlands, while the primary targets are organizations in these countries.\u00a0<\/p>\n
Malicious IPs previously observed in other nefarious activities primarily originate from Tor exit nodes and well-known cloud or VPS providers.\u00a0<\/p>\n
In contrast, suspicious IPs are often linked to lesser-known hosting services and niche cloud infrastructure, suggesting a blend of sophisticated and opportunistic actors.<\/p>\n
Vulnerability Landscape: CVE-2025-22457<\/strong><\/h2>\nThis surge in scanning coincides with increased attention to CVE-2025-22457<\/a>, a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure 9.x (now end-of-support), Ivanti Policy Secure, and Neurons for ZTA gateways.\u00a0<\/p>\nInitially underestimated, this flaw was later found to enable unauthenticated remote code execution (RCE), allowing attackers to run arbitrary code on vulnerable appliances.<\/p>\n
A patch for CVE-2025-22457 was released on February 11, 2025 (ICS version 22.7R2.6), but many legacy devices remain unpatched and exposed.\u00a0<\/p>\n
Exploitation in the wild has already been confirmed, with advanced persistent threat (APT) groups such as UNC5221<\/a> reverse-engineering the patch to develop working exploits.<\/p>\nIvanti Connect Secure VPNs are widely deployed for enterprise remote access, making them high-value targets for cybercriminals and nation-state actors.<\/p>\n
Historical patterns show that spikes in scanning activity often precede the public disclosure or mass exploitation of new vulnerabilities.\u00a0<\/p>\n
The current wave of reconnaissance may indicate that attackers are mapping vulnerable systems in preparation for large-scale attacks<\/a>, ransomware campaigns, or data breaches.<\/p>\nDefensive Recommendations<\/strong><\/h2>\nTo mitigate risk, organizations should:<\/p>\n
\n- Immediately patch all ICS\/IPS systems to the latest versions (ICS 22.7R2.6 or later).<\/li>\n
- Review logs for suspicious probes and login attempts from new or untrusted IPs.<\/li>\n
- Block known malicious or suspicious IPs identified by GreyNoise and other threat intelligence feeds.<\/li>\n
- Monitor for unusual authentication activity, especially from Tor or cloud-hosted IPs.<\/li>\n
- Use Ivanti\u2019s Integrity Checker Tool (ICT) to identify signs of compromise.<\/li>\n<\/ul>\n
GreyNoise continues to track this evolving threat and advises that security teams remain vigilant.\u00a0<\/p>\n
The observed spike in scanning is a clear warning: attackers actively seek to exploit unpatched Ivanti Connect Secure systems. Proactive defense and rapid patching are essential to prevent compromise.<\/p>\n
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!->\u00a0Get Your Free Copy<\/a><\/code><\/strong><\/p>\nThe post 1000+ Unique IPs Attacking Ivanti Connect Secure Systems to Exploit Vulnerabilities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
Over the past 90 days, a total of 1,004 unique IPs have been observed conducting similar scans, with classifications as follows:<\/p>\n
- \n
- 634 Suspicious<\/li>\n
- 244 Malicious<\/li>\n
- 126 Benign<\/li>\n<\/ul>\n
Importantly, none of these IPs were spoofable, indicating attackers leveraged actual, traceable infrastructure.<\/p>\n
The top three source countries for scanning activity are the United States, Germany, and the Netherlands, while the primary targets are organizations in these countries.\u00a0<\/p>\n
Malicious IPs previously observed in other nefarious activities primarily originate from Tor exit nodes and well-known cloud or VPS providers.\u00a0<\/p>\n
In contrast, suspicious IPs are often linked to lesser-known hosting services and niche cloud infrastructure, suggesting a blend of sophisticated and opportunistic actors.<\/p>\n
Vulnerability Landscape: CVE-2025-22457<\/strong><\/h2>\n
This surge in scanning coincides with increased attention to CVE-2025-22457<\/a>, a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure 9.x (now end-of-support), Ivanti Policy Secure, and Neurons for ZTA gateways.\u00a0<\/p>\n
Initially underestimated, this flaw was later found to enable unauthenticated remote code execution (RCE), allowing attackers to run arbitrary code on vulnerable appliances.<\/p>\n
A patch for CVE-2025-22457 was released on February 11, 2025 (ICS version 22.7R2.6), but many legacy devices remain unpatched and exposed.\u00a0<\/p>\n
Exploitation in the wild has already been confirmed, with advanced persistent threat (APT) groups such as UNC5221<\/a> reverse-engineering the patch to develop working exploits.<\/p>\n
Ivanti Connect Secure VPNs are widely deployed for enterprise remote access, making them high-value targets for cybercriminals and nation-state actors.<\/p>\n
Historical patterns show that spikes in scanning activity often precede the public disclosure or mass exploitation of new vulnerabilities.\u00a0<\/p>\n
The current wave of reconnaissance may indicate that attackers are mapping vulnerable systems in preparation for large-scale attacks<\/a>, ransomware campaigns, or data breaches.<\/p>\n
Defensive Recommendations<\/strong><\/h2>\n
To mitigate risk, organizations should:<\/p>\n
- \n
- Immediately patch all ICS\/IPS systems to the latest versions (ICS 22.7R2.6 or later).<\/li>\n
- Review logs for suspicious probes and login attempts from new or untrusted IPs.<\/li>\n
- Block known malicious or suspicious IPs identified by GreyNoise and other threat intelligence feeds.<\/li>\n
- Monitor for unusual authentication activity, especially from Tor or cloud-hosted IPs.<\/li>\n
- Use Ivanti\u2019s Integrity Checker Tool (ICT) to identify signs of compromise.<\/li>\n<\/ul>\n
GreyNoise continues to track this evolving threat and advises that security teams remain vigilant.\u00a0<\/p>\n
The observed spike in scanning is a clear warning: attackers actively seek to exploit unpatched Ivanti Connect Secure systems. Proactive defense and rapid patching are essential to prevent compromise.<\/p>\n
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!->\u00a0Get Your Free Copy<\/a><\/code><\/strong><\/p>\nThe post 1000+ Unique IPs Attacking Ivanti Connect Secure Systems to Exploit Vulnerabilities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n