1000+ Unique IPs Attacking Ivanti Connect Secure Systems to Exploit Vulnerabilities

A significant increase in suspicious scanning activity targeting Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems, signaling a potential coordinated reconnaissance effort by threat actors. 

The spike, registering more than 230 unique IP addresses probing ICS/IPS endpoints in a single day, represents a ninefold increase over the typical daily baseline of fewer than 30 unique IPs.

Scanning Activity and Infrastructure

GreyNoise’s monitoring systems flagged this anomaly with their dedicated ICS scanner tag, which tracks IPs attempting to identify internet-accessible ICS/IPS systems. 

Over the past 90 days, a total of 1,004 unique IPs have been observed conducting similar scans, with classifications as follows:

• 634 Suspicious
• 244 Malicious
• 126 Benign

Importantly, none of these IPs were spoofable, indicating attackers leveraged actual, traceable infrastructure.

The top three source countries for scanning activity are the United States, Germany, and the Netherlands, while the primary targets are organizations in these countries. 

Malicious IPs previously observed in other nefarious activities primarily originate from Tor exit nodes and well-known cloud or VPS providers. 

In contrast, suspicious IPs are often linked to lesser-known hosting services and niche cloud infrastructure, suggesting a blend of sophisticated and opportunistic actors.

Vulnerability Landscape: CVE-2025-22457

This surge in scanning coincides with increased attention to CVE-2025-22457, a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure 9.x (now end-of-support), Ivanti Policy Secure, and Neurons for ZTA gateways. 

Initially underestimated, this flaw was later found to enable unauthenticated remote code execution (RCE), allowing attackers to run arbitrary code on vulnerable appliances.

A patch for CVE-2025-22457 was released on February 11, 2025 (ICS version 22.7R2.6), but many legacy devices remain unpatched and exposed. 

Exploitation in the wild has already been confirmed, with advanced persistent threat (APT) groups such as UNC5221 reverse-engineering the patch to develop working exploits.

Ivanti Connect Secure VPNs are widely deployed for enterprise remote access, making them high-value targets for cybercriminals and nation-state actors.

Historical patterns show that spikes in scanning activity often precede the public disclosure or mass exploitation of new vulnerabilities. 

The current wave of reconnaissance may indicate that attackers are mapping vulnerable systems in preparation for large-scale attacks, ransomware campaigns, or data breaches.

Defensive Recommendations

To mitigate risk, organizations should:

• Immediately patch all ICS/IPS systems to the latest versions (ICS 22.7R2.6 or later).
• Review logs for suspicious probes and login attempts from new or untrusted IPs.
• Block known malicious or suspicious IPs identified by GreyNoise and other threat intelligence feeds.
• Monitor for unusual authentication activity, especially from Tor or cloud-hosted IPs.
• Use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise.

GreyNoise continues to track this evolving threat and advises that security teams remain vigilant. 

The observed spike in scanning is a clear warning: attackers actively seek to exploit unpatched Ivanti Connect Secure systems. Proactive defense and rapid patching are essential to prevent compromise.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post 1000+ Unique IPs Attacking Ivanti Connect Secure Systems to Exploit Vulnerabilities appeared first on Cyber Security News.