A sweeping cyberespionage campaign linked to Chinese state-sponsored hackers has compromised dozens of organizations worldwide by exploiting critical vulnerabilities in Ivanti VPN appliances, according to a detailed report that underscores the persistent threat posed by flaws in enterprise network gateway devices. The findings reveal a sophisticated operation that leveraged known and zero-day vulnerabilities in Ivanti Connect Secure, the widely deployed remote-access VPN product used by thousands of corporations and government agencies globally.
The report, first covered by TechCrunch, details how threat actors affiliated with China’s intelligence apparatus methodically targeted Ivanti’s VPN infrastructure to gain initial access to victim networks, then moved laterally to steal sensitive data and maintain long-term persistence. The campaign represents one of the most significant exploitation efforts against a single enterprise VPN vendor in recent memory, and it raises urgent questions about the security of the network perimeter devices that organizations depend on to protect remote access.
Ivanti has been at the center of a recurring cycle of vulnerability disclosures and active exploitation that stretches back several years. In January 2024, the company disclosed two zero-day vulnerabilities — CVE-2023-46805 and CVE-2024-21887 — in its Connect Secure and Policy Secure gateways that were already being exploited in the wild. Those flaws allowed attackers to bypass authentication and inject arbitrary commands, giving them full control over compromised appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal agencies to disconnect affected Ivanti products, a rare and dramatic step that signaled the severity of the threat.
Since then, additional vulnerabilities have continued to surface. In early 2025, Ivanti disclosed CVE-2025-0282, another critical flaw in Connect Secure that was being actively exploited before a patch was available. According to researchers, Chinese-linked groups were among the first to weaponize these vulnerabilities, often deploying custom malware families designed specifically for Ivanti appliances. The latest findings suggest that the cumulative impact of these serial vulnerabilities has been far greater than previously understood, with dozens of confirmed victim organizations spanning government, defense, telecommunications, and technology sectors.
Security researchers have attributed the exploitation campaign to threat groups tracked under various names by different cybersecurity firms, but broadly associated with China’s Ministry of State Security (MSS) and related entities. One group frequently cited in connection with Ivanti exploitation is UNC5221, a designation used by Mandiant, the Google-owned threat intelligence firm. UNC5221 has been observed deploying a range of custom tools on compromised Ivanti appliances, including web shells, tunneling utilities, and credential harvesters designed to survive device reboots and even factory resets.
The sophistication of the post-exploitation tradecraft is notable. According to the research, the attackers deployed malware that could intercept and decrypt VPN traffic in real time, effectively turning the security appliance itself into a surveillance tool. They also manipulated the appliance’s built-in integrity checking mechanisms to hide their presence, making it extraordinarily difficult for defenders to detect the compromise using standard tools. This level of operational sophistication is consistent with state-sponsored actors who have significant resources and deep familiarity with the target technology.
The scale of the breach is significant. The report indicates that dozens of Ivanti customers were confirmed compromised, though researchers believe the actual number could be substantially higher given the difficulty of detecting the intrusions. Victims reportedly include government agencies in multiple countries, defense contractors, academic institutions, and major technology companies. The geographic spread of targets is global, with confirmed victims in North America, Europe, and the Asia-Pacific region.
What makes the Ivanti campaign particularly damaging is the nature of the compromised devices. VPN gateways sit at the boundary between an organization’s internal network and the public internet. Compromising such a device gives an attacker a privileged vantage point from which to intercept credentials, monitor traffic, and pivot deeper into the network. Unlike compromising a single workstation or server, owning a VPN appliance can provide access to an organization’s entire internal infrastructure, making it an extraordinarily high-value target for espionage operations.
Ivanti has issued patches for the disclosed vulnerabilities and has worked with CISA and other government agencies to provide mitigation guidance. The company has also released an enhanced integrity checking tool designed to detect signs of compromise on its appliances. However, security researchers have expressed concern that some of the attacker’s persistence mechanisms may survive even full factory resets, meaning that simply patching and rebooting affected devices may not be sufficient to ensure they are clean.
The company has faced growing criticism from the cybersecurity community over what some researchers describe as a pattern of delayed disclosure and insufficient transparency. Ivanti’s products are deployed across thousands of organizations worldwide, including numerous U.S. federal agencies, making the security of its appliances a matter of national security. The repeated exploitation of Ivanti devices has prompted some organizations to evaluate alternative VPN solutions, though migrating away from an entrenched network infrastructure product is a complex and costly undertaking.
The Ivanti saga is part of a broader pattern that has alarmed cybersecurity professionals and policymakers alike. Over the past several years, vulnerabilities in network edge devices — VPN appliances, firewalls, load balancers, and email gateways — have become a primary vector for state-sponsored intrusions. Products from Fortinet, Palo Alto Networks, Citrix, Barracuda, and SonicWall have all been targeted in similar campaigns. These devices are attractive targets because they are internet-facing by design, they often run proprietary or stripped-down operating systems that lack modern endpoint detection capabilities, and they process sensitive authentication credentials.
CISA and the National Security Agency (NSA) have repeatedly warned about the risks posed by these devices. In 2024, CISA Director Jen Easterly called on technology manufacturers to take greater responsibility for the security of their products, arguing that the burden of defense should not fall solely on customers. The agency has promoted its “Secure by Design” initiative, which encourages vendors to build security into products from the ground up rather than relying on post-deployment patches. The Ivanti breaches have become a case study in why that approach is needed.
For Chinese intelligence services, the exploitation of enterprise VPN infrastructure aligns with a well-documented strategic priority: the large-scale collection of sensitive government and corporate data from foreign targets. The compromise of VPN appliances provides access not just to stored data but to real-time communications and authentication credentials, enabling follow-on operations that can persist long after the initial vulnerability is patched.
Former U.S. intelligence officials have noted that China’s cyber operations have grown increasingly aggressive and technically proficient over the past decade. The Ivanti campaign fits within a broader pattern that includes the exploitation of Microsoft Exchange servers by the Hafnium group in 2021, the compromise of Barracuda email security appliances in 2023, and ongoing operations targeting telecommunications infrastructure that were disclosed in late 2024. Each of these campaigns targeted widely deployed enterprise infrastructure to achieve broad access at scale.
Security experts recommend that organizations running Ivanti Connect Secure appliances take several immediate steps. First, they should apply all available patches and run the latest version of Ivanti’s integrity checking tool. Second, they should conduct thorough forensic analysis of their appliances and surrounding network infrastructure to look for indicators of compromise. Third, organizations should consider performing a full factory reset and rebuilding their appliances from known-clean images, rather than simply applying patches to potentially compromised devices.
Beyond immediate remediation, the Ivanti breaches highlight the need for organizations to rethink their approach to network perimeter security. Security professionals increasingly advocate for zero-trust architectures that do not rely on a single VPN appliance as the gateway to the entire corporate network. Network segmentation, continuous authentication, and enhanced monitoring of edge devices are all measures that can reduce the blast radius of a compromised gateway. The lesson from the Ivanti campaign is clear: the devices that organizations trust most to protect their networks can become their greatest liability when those devices themselves are compromised.
As the investigation continues and more victim organizations are identified, the full scope of the Chinese hacking campaign against Ivanti customers may take months or even years to fully assess. What is already apparent, however, is that the exploitation of enterprise VPN infrastructure has become one of the most consequential cybersecurity challenges facing governments and corporations worldwide.
Inside the Ivanti VPN Breach: How Chinese Hackers Exploited Enterprise Gateway Flaws to Compromise Dozens of Organizations first appeared on Web and IT News.
Anthropic just made its AI agent permanently resident on your desktop. Not as a chatbot…
Jack Clark thinks coding is the new literacy. Not in the vague, aspirational way that…
Ask a chatbot a question and you’ll get an answer. But the answer you get…
For years, cropping a photo in Google Photos has been an exercise in quiet frustration.…
OPEC’s crude oil production dropped sharply in May, and the reasons stretch far beyond the…
Google is making its biggest bet yet on the idea that artificial intelligence should be…
This website uses cookies.