A significant increase in suspicious scanning activity targeting Ivanti Connect Secure (ICS) and Ivanti Pulse Secure (IPS) VPN systems, signaling a potential coordinated reconnaissance effort by threat actors.
The spike, registering more than 230 unique IP addresses probing ICS/IPS endpoints in a single day, represents a ninefold increase over the typical daily baseline of fewer than 30 unique IPs.
GreyNoise’s monitoring systems flagged this anomaly with their dedicated ICS scanner tag, which tracks IPs attempting to identify internet-accessible ICS/IPS systems.
Over the past 90 days, a total of 1,004 unique IPs have been observed conducting similar scans, with classifications as follows:
Importantly, none of these IPs were spoofable, indicating attackers leveraged actual, traceable infrastructure.
The top three source countries for scanning activity are the United States, Germany, and the Netherlands, while the primary targets are organizations in these countries.
Malicious IPs previously observed in other nefarious activities primarily originate from Tor exit nodes and well-known cloud or VPS providers.
In contrast, suspicious IPs are often linked to lesser-known hosting services and niche cloud infrastructure, suggesting a blend of sophisticated and opportunistic actors.
This surge in scanning coincides with increased attention to CVE-2025-22457, a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure 9.x (now end-of-support), Ivanti Policy Secure, and Neurons for ZTA gateways.
Initially underestimated, this flaw was later found to enable unauthenticated remote code execution (RCE), allowing attackers to run arbitrary code on vulnerable appliances.
A patch for CVE-2025-22457 was released on February 11, 2025 (ICS version 22.7R2.6), but many legacy devices remain unpatched and exposed.
Exploitation in the wild has already been confirmed, with advanced persistent threat (APT) groups such as UNC5221 reverse-engineering the patch to develop working exploits.
Ivanti Connect Secure VPNs are widely deployed for enterprise remote access, making them high-value targets for cybercriminals and nation-state actors.
Historical patterns show that spikes in scanning activity often precede the public disclosure or mass exploitation of new vulnerabilities.
The current wave of reconnaissance may indicate that attackers are mapping vulnerable systems in preparation for large-scale attacks, ransomware campaigns, or data breaches.
To mitigate risk, organizations should:
GreyNoise continues to track this evolving threat and advises that security teams remain vigilant.
The observed spike in scanning is a clear warning: attackers actively seek to exploit unpatched Ivanti Connect Secure systems. Proactive defense and rapid patching are essential to prevent compromise.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
A new information-stealing malware dubbed "PupkinStealer" has been identified by cybersecurity researchers, targeting sensitive user…
The cybersecurity landscape in 2025 is defined by increasingly sophisticated malware threats, with attackers leveraging…
As artificial intelligence transforms industries and enhances human capabilities, the need for strong AI security…
Cryptocurrency exchanges are intensifying security measures in 2025 to focus on preventing phishing attacks, as…
As AI systems using adversarial machine learning integrate into critical infrastructure, healthcare, and autonomous technologies,…
NGINX monitoring tools ensure NGINX web servers' optimal performance and reliability. These tools provide comprehensive…