Escalating attacks against Ivanti VPN appliances expected

Organizations using Ivanti Connect Secure and Pulse Secure VPN systems have been urged to update their instances following a ninefold increase in suspicious IP scanning activity recorded on April 18, The Register reports. Of the 1,004 unique IPs that scanned Ivanti VPN appliances, 878 were either "suspicious" or "malicious," according to a report from GreyNoise. "While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation. GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities," said the cybersecurity firm, which recommended increased vigilance of suspicious login activity and enhanced remediation efforts. Such findings come as Japan's Computer Emergency Response Team reported attacks exploiting the critical Ivanti Connect Secure zero-day, tracked as CVE-2025-0282, have been deployed to facilitate compromise with the DslogdRAT malware. Additional investigation is needed to establish an association between the attacks and China-linked UNC5221's intrusions against Connect Secure instances earlier this year, said JPCERT.