9X Surge in Ivanti Connect Secure Scanning Activity

GreyNoise has detected a significant nine-fold increase in scanning activity directed at Ivanti Connect Secure and Pulse Secure VPN endpoints. Over 230 unique IP addresses were identified probing these systems, suggesting coordinated reconnaissance efforts by potentially malicious actors. While no specific threat group or malware family has been attributed to this campaign, the surge indicates preparation for future exploitation attempts targeting known vulnerabilities within these VPN solutions. Organizations utilizing Ivanti products face elevated risk of compromise if patches are not applied promptly. This activity aligns with typical pre-exploitation behaviors observed in advanced persistent threat operations. Immediate mitigation steps include verifying patch levels, monitoring network traffic for anomalous connections, and implementing strict access controls. Security teams should treat this intelligence as a high-priority warning to harden perimeter defenses against potential initial access vectors leveraging Ivanti vulnerabilities before active exploitation waves commence globally.

GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation.

GreyNoise has detected a significant nine-fold increase in scanning activity directed at Ivanti Connect Secure and Pulse Secure VPN endpoints. Over 230 unique IP addresses were identified probing these systems, suggesting coordinated reconnaissance efforts by potentially malicious actors. While no specific threat group or malware family has been attributed to this campaign, the surge indicates preparation for future exploitation attempts targeting known vulnerabilities within these VPN solutions. Organizations utilizing Ivanti products face elevated risk of compromise if patches are not applied promptly. This activity aligns with typical pre-exploitation behaviors observed in advanced persistent threat operations. Immediate mitigation steps include verifying patch levels, monitoring network traffic for anomalous connections, and implementing strict access controls. Security teams should treat this intelligence as a high-priority warning to harden perimeter defenses against potential initial access vectors leveraging Ivanti vulnerabilities before active exploitation waves commence globally. GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation.