Is Ivanti the problem or a symptom of a systemic issue with network devices? – CyberScoop
Network edge devices — hardware that powers firewalls, VPNs and network routers — have quickly moved up the list of attackers’ preferred intrusion points into enterprise networks. While dozens of companies make and sell these devices, customers of one company in particular — Ivanti — have confronted exploited vulnerabilities in their products more than any other vendor in this space since the start of last year.
Ivanti appears in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog more than any other firewall, VPN or router vendor over the past 16 months. Cyber authorities confirm that attackers exploited five vulnerabilities in Ivanti products so far this year, and 16 total since the beginning of 2024.
Ivanti is far from the only network device vendor targeted by cybercriminals. Competitors with much larger market shares have also seen their customers put at risk through exploited vulnerabilities in their products, but not as consistently as Ivanti. Palo Alto Networks has 10 vulnerabilities on CISA’s catalog of software defects exploited in the wild since 2024. Cisco has eight vulnerabilities listed during that period, and Fortinet has six.
CyberScoop recently spoke with experts to determine whether Ivanti’s problem is specific to the company itself, or a microcosm of a technology that is inherently a rich target for adversaries, no matter the brand.
Many industry analysts, incident response specialists and vulnerability researchers declined to criticize Ivanti for the number of vulnerabilities attackers have exploited in the vendor’s products. Yet, data show that Ivanti is a repeat offender in shipping products with a high number of vulnerabilities, with other experts ranking the vendor among the most problematic and risky for customers.
Ivanti told CyberScoop that it emphasizes releasing as much information as possible as vulnerabilities are discovered, and it is committed to secure-by-design principles. It also pointed out that many attacks targeting its products are conducted after a flaw has been disclosed and patches have been issued.
“Ivanti views transparency and proactive vulnerability management as fundamental to trust and security. CISA has clearly indicated that the expectation for companies such as Ivanti that have applied secure-by-design principles is that the number of CVEs will logically increase,” a spokesperson for Ivanti said in a statement.
“It is also important to acknowledge that many CVEs included in the KEV, including the majority of those attributed to Ivanti, are not zero-day vulnerabilities, but rather n-days that were disclosed and patched prior to exploitation,” the spokesperson continued. “They were added to the KEV only after threat actors reverse-engineered the patch to target customers who had not yet applied the patch or were using end-of-life systems.”
Excess vulnerabilities engender criticism
CISA’s KEV list isn’t the only indication that Ivanti has vulnerability issues. Recent comprehensive industry analyses have positioned Ivanti among the most vulnerable technology vendors in the marketplace, which raises significant concerns for any organization relying on its products.
Cybersecurity insurance firm Coalition recently evaluated more than 7,000 technology vendors of all types and weighted their exploitability and risk by cross-referencing all vulnerabilities in the National Institute of Standards and Technologies’ National Vulnerability Database, and every vendor in NIST’s Common Platform Enumeration dictionary.
“In our research, we found 201 vulnerabilities within Ivanti’s products, leading our team to list them as No. 10 on our Risky Tech Ranking list,” said Tiago Henriques, chief underwriting officer at Coalition. “This makes them one of the most vulnerable vendors when weighted by their exploitability.”
Coalition assigned risk scores to vendors by weighting each vulnerability in their products or services based on the probability of exploitation. Vendors with more products typically received a higher risk score. Tech giants Microsoft, Google and Apple are at the top of Coalition’s list of the riskiest tech vendors.
“With Ivanti recently landing in the top 10 of our Risky Tech Ranking, we are soundly raising the alarm,” Henriques said. “We strongly encourage companies to review our ranking as they make decisions about the technology they adopt and — if they are a current user of any of these technologies — ensure they have stringent patching processes in place.”
Ivanti disputes the methodology and conclusions drawn from Coalition’s report. “This list punishes vendors for being transparent, and that is bad for the industry,” a spokesperson for Ivanti said. “The call to action for the industry should be more transparency, not less.”
VulnCheck, a threat intelligence firm that maintains a known exploited vulnerabilities catalog much larger than CISA’s, determined Ivanti had the third-highest number of vulnerabilities among all vendors in 2024.
“A very reasonable conclusion is that Ivanti products simply have more vulnerabilities in them,” said VulnCheck CTO Jacob Baines. “That could be due to internal software practices, or it could be the result of building on top of legacy software acquired through other companies where perhaps the security hygiene across all versions wasn’t prioritized.”
Researchers commend Ivanti’s disclosure practices
The transparency Ivanti referenced with regard to Coalition’s report has been well received by other industry experts.
Mandiant Consulting CTO Charles Carmakal told CyberScoop there is a skewed perception regarding how often Ivanti is targeted compared to other companies. He underscored Ivanti’s proactive approach, noting that from his perspective, “they do a really good job of sharing threat intelligence about active exploitation, which many other companies don’t do a lot of times.” Ivanti has collaborated with Carmakal and Mandiant on incident response and research since 2021.
Experts also emphasized that the exploitation of network edge devices is not exclusive to Ivanti. As endpoint security has matured, advanced threat actors have increasingly targeted edge devices, which typically do not support endpoint detection and response (EDR) solutions. These devices often occupy elevated positions within enterprise networks.
“Detecting and remediating this type of compromise requires a significant level of expertise, and even when security solutions are in place, the threat actors are attempting to disable or remove these security solutions to create blind spots,” Carmakal explained.
Caitlin Condon, director of vulnerability intelligence at Rapid7, argued that the number of exploited vulnerabilities assigned to a vendor is not a nuanced measure of their risk or commitment to security.
“We want to be judging vendors primarily by their response to major incidents and not necessarily by the vulnerabilities that exist in their technology,” she stated.
Rapid7 focuses on vulnerabilities that lead to widespread compromises, which often originate from defects in popular products by Palo Alto Networks, Fortinet, and Citrix.
Condon cautioned against assuming that a vulnerability on the KEV list automatically leads to large-scale incidents, as other threats are exploited more frequently and extensively.
“Just because a vulnerability is on KEV doesn’t mean it’s automatically driving broad-scale incidents,” she said. “We see other things that are being exploited much more frequently and at scale.”
Why Ivanti outpaces larger competitors on exploited defects
Despite the focus of attackers on network edge devices, Ivanti continues to face consistent and recurring problems with actively exploited software defects. The root cause of those flaws, and why these vulnerabilities are discovered in Ivanti products more often compared to competitors, varies widely.
Security experts said one explanation is that researchers — both within and outside Ivanti — are putting more attention on the company’s products and finding more actively exploited vulnerabilities as a result.
“Having vulnerabilities is normal, and popular technology is a common target for vulnerability researchers,” Condon said. “There’s also an amplification effect at play — when a high-profile vulnerability winds up on KEV, you can be sure that additional researchers are going to start looking for more hot vulnerabilities in that code base.”
Researchers also note that Ivanti products are used by organizations that attackers like to target, which also affects other vendors with larger market shares in the network edge device sector.
The most high-profile and potentially damaging attack linked to an exploited Ivanti vulnerability involved CISA itself. The federal agency responsible for overseeing the cybersecurity posture of the federal government was impacted in January 2024 by a pair of widely exploited zero-day vulnerabilities in Ivanti products it used at the time.
Attackers breached CISA’s Chemical Security Assessment Tool and the CISA Gateway, tools the agency maintained to help secure critical infrastructure. After the attack occurred, but before CISA disclosed, the agency revised a previously released emergency directive requiring all federal agencies to disconnect all instances of the impacted Ivanti products from their networks.
CISA officials later said they couldn’t rule out the possibility that chemical facilities’ data was stolen during the attack, and notified organizations representing more than 100,000 people of potential exposure.
The talent and motivations of groups behind these attacks on Ivanti products — often China state-backed espionage groups — is another factor at play.
“We just see such a high velocity of vulnerability research and exploit development coming out of China that’s used for espionage purposes, and it’s used by multiple groups,” Carmakal said. “We’re going to continue to see this, and it’s not going to be limited to Ivanti.”
Patterns in Ivanti-linked attacks
The most recently disclosed vulnerability affecting Ivanti’s VPN products, CVE-2025-22457, has been exploited by a China-nexus espionage group since mid-March. The threat group, which Google Threat Intelligence Group tracks as UNC5221, has repeatedly attacked Ivanti customers since 2023. UNC5221 previously exploited zero-day vulnerabilities disclosed in Ivanti products in 2023, 2024 and earlier this year.
“Pretty much every VPN solution continues to publish CVEs that are exploited in the wild, and that are generally exploited initially, first as a zero-day, and then they’re all exploited, to some extent, as an n-day vulnerability,” Carmakal said. “This most recent vulnerability was very complex to exploit. This was not an easy, trivial vulnerability.”
Ivanti released a patch for CVE-2025-22457 in Ivanti Connect Secure on Feb. 11, but didn’t publicly disclose the vulnerability until April 3. Shadowserver scans found more than 5,000 unpatched instances of Ivanti Connect Secure three days later.
Mandiant researchers said they don’t know how many organizations are impacted by CVE-2025-22457 exploits, but discovered victims across multiple industries, including government, defense and technology.
Katell Thielemann, VP analyst at Gartner, said the burden customers confront when dealing with vulnerabilities at large continues to grow in scope and costs.
“The best angle would be to make sure vulnerabilities are not included in the first place, either by using secure-by-design or cyber-informed engineering principles — but market forces need to put the pressure on producers to adopt them, and for the moment they do not,” she said.
Ivanti has improved the security of its products through multiple measures since it signed CISA’s secure-by-design pledge last year, Daniel Spicer, the company’s chief security officer, said in a blog post released in February.
Ivanti’s product development process includes more robust threat modeling and vulnerability assessments, a security team that has grown eight-fold since 2021 and multifactor authentication enabled by default, Spicer said.
“Aggressive state-sponsored attacks on edge devices are a widespread and well-documented industry challenge, and not unique to Ivanti,” a company spokesperson said.
“In response to this threat, Ivanti has established a comprehensive security program including meaningful investments in specialized talent, processes, and partnerships, as well as collaboration on relevant threat intelligence and customer-centric tools like the Integrity Checker Tool and remote forensic capabilities that provide increased and timely visibility into customer environments.”
While some experts place fault for the regularity of exploited Ivanti vulnerabilities with the vendor, others laud the company for its efforts to improve and view the challenges Ivanti and its customers are confronting as an industrywide phenomenon.
“To me, it’s less of a vendor issue. It’s more of an adversary issue,” Carmakal said.
“The frequency and aggressive tempo of these attacks highlights the severity and sophistication of the threat actors,” he added, “and we should be careful to not quickly attribute this as shortcomings in the impacted vendors.”
The post Is Ivanti the problem or a symptom of a systemic issue with network devices? appeared first on CyberScoop.
–
Read More – CyberScoop