In the first half of 2025, Ivanti became a primary target of **UNC5221**, a suspected China-linked state-sponsored threat group exploiting multiple vulnerabilities in its products, including **Endpoint Manager Mobile, Connect Secure, and Policy Secure**. These attacks were part of a broader trend where **69% of exploited vulnerabilities required no authentication**, enabling remote execution without credentials. The exploitation of Ivanti’s edge infrastructure—critical for encrypted traffic and privileged access—posed severe risks, including **unauthorized system control, espionage, and potential lateral movement into high-value networks**. The attacks align with geopolitical motives, particularly **state-sponsored espionage and surveillance**, targeting enterprise solutions to compromise sensitive data or maintain persistent access. While the article does not specify direct data breaches or operational disruptions, the **strategic weaponization of Ivanti’s flaws** by advanced threat actors suggests high-stakes consequences, including **potential compromise of government, defense, or critical infrastructure entities** relying on these systems. The lack of authentication requirements further amplifies the threat, as attackers could **remotely execute code (RCE) with full system control**, posing existential risks to organizations dependent on Ivanti’s security appliances.
Source: https://www.infosecurity-magazine.com/news/state-hackers-majority/
TPRM report: https://www.rankiteo.com/company/ivanti
"id": "iva631082925",
"linkid": "ivanti",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Cybersecurity/IT',
'name': 'Ivanti',
'type': 'Technology Vendor'},
{'industry': 'Software/Cloud',
'name': 'Microsoft',
'type': 'Technology Vendor'},
{'industry': 'Multiple (targeted sectors not specified)',
'location': 'Global',
'name': 'Organizations using Ivanti/Microsoft products',
'type': 'Enterprise/Edge Infrastructure Users'}],
'attack_vector': ['Unauthenticated Remote Exploitation (69% of CVEs)',
'Remote Code Execution (30% of CVEs)',
'Social Engineering (ClickFix/FileFix)',
'BYOI (Bring-Your-Own-Installer)',
'JIT Hooking',
'Memory Injection'],
'date_publicly_disclosed': '2025-08-28',
'description': 'In the first half of 2025, 53% of attributed vulnerability '
'exploits were conducted by state-sponsored actors (primarily '
'Chinese groups like UNC5221) for geopolitical purposes such '
'as espionage and surveillance. The remaining 47% were '
'financially motivated, split between theft/fraud (27%) and '
'ransomware/extortion (20%). Key targets included edge '
'infrastructure, enterprise solutions (e.g., Ivanti products), '
'and Microsoft systems. Exploits often required no '
'authentication (69%) and enabled remote code execution (30%). '
'New initial access techniques like ClickFix (social '
'engineering via fake error messages) and FileFix (malicious '
'file path manipulation) were adopted by ransomware groups '
'like Interlock. Post-compromise, EDR evasion via BYOI, JIT '
'hooking, and memory injection increased.',
'impact': {'systems_affected': ['Edge infrastructure',
'Enterprise solutions (e.g., Ivanti, '
'Microsoft)',
'Remote access tools',
'Gateway-layer software']},
'initial_access_broker': {'entry_point': ['ClickFix (fake error/verification '
'messages)',
'FileFix (malicious file paths in '
'Windows Explorer)'],
'high_value_targets': ['Edge infrastructure',
'Enterprise solutions '
'(Ivanti, Microsoft)',
'Remote access tools']},
'investigation_status': 'Completed (report published)',
'lessons_learned': ['State-sponsored exploits are targeted and persistent, '
'focusing on high-value systems (e.g., edge '
'infrastructure).',
'Unauthenticated, remote exploits dominate (69% of CVEs), '
'enabling direct internet-based attacks.',
'Social engineering techniques (ClickFix/FileFix) are '
'increasingly effective for initial access.',
'Post-compromise EDR evasion (BYOI, JIT hooking) is '
'rising among ransomware groups.',
'Vendors like Ivanti and Microsoft remain high-priority '
'targets due to their widespread use.'],
'motivation': ['Geopolitical (state-sponsored: 53%)',
'Financial gain (theft/fraud: 27%; ransomware: 20%)'],
'post_incident_analysis': {'corrective_actions': ['Accelerate vulnerability '
'disclosure-to-patch '
'timelines.',
'Deploy behavioral '
'detection for social '
'engineering-based initial '
'access.',
'Hardening of edge '
'infrastructure and remote '
'access tools.',
'Adopt advanced EDR '
'capabilities to counter '
'BYOI/JIT hooking.'],
'root_causes': ['Rapid weaponization of disclosed '
'vulnerabilities by well-resourced '
'actors.',
'Over-reliance on unpatched '
'edge/gateway systems with '
'unauthenticated access.',
'Effectiveness of social '
'engineering (ClickFix/FileFix) in '
'bypassing security controls.',
'Lack of mitigations for '
'post-compromise EDR evasion '
'techniques.']},
'recommendations': ['Prioritize patching for unauthenticated, '
'remote-exploitable CVEs, especially in edge/gateway '
'systems.',
'Implement user training to recognize ClickFix/FileFix '
'social engineering tactics.',
'Enhance EDR solutions to detect BYOI, JIT hooking, and '
'memory injection techniques.',
'Monitor for indicators of state-sponsored activity '
'targeting Ivanti/Microsoft products.',
'Segment networks to limit lateral movement '
'post-compromise.'],
'references': [{'date_accessed': '2025-08-28',
'source': 'Recorded Future’s Insikt Group'},
{'date_accessed': '2025-08-28',
'source': 'H1 2025 Malware and Vulnerability Trends Report'},
{'source': 'Chinese Tech Firms Linked to Salt Typhoon '
'Espionage Campaigns'}],
'threat_actor': [{'affiliation': 'Suspected China-linked state-sponsored '
'group',
'focus': 'Ivanti products, edge infrastructure',
'name': 'UNC5221'},
{'affiliation': 'Ransomware group',
'name': 'Interlock Gang',
'techniques': ['ClickFix (Jan–Feb 2025)',
'FileFix (later attacks)']},
{'motivation': 'Geopolitical (espionage, surveillance)',
'name': 'State-Sponsored Actors (53%)',
'primary_country': 'China (majority of campaigns)'},
{'name': 'Financially Motivated Actors (47%)',
'subgroups': [{'share': '27%',
'type': 'Theft/Fraud (non-ransomware)'},
{'share': '20%',
'type': 'Ransomware/Extortion'}]}],
'title': 'State-Sponsored and Financially-Motivated Vulnerability Exploits in '
'H1 2025',
'type': ['Vulnerability Exploitation',
'Espionage',
'Ransomware',
'Theft/Fraud',
'Social Engineering (ClickFix/FileFix)'],
'vulnerability_exploited': ['161 distinct CVEs in H1 2025 (up from 136 in H1 '
'2024)',
'Ivanti Endpoint Manager Mobile',
'Ivanti Connect Secure',
'Ivanti Policy Secure',
'Microsoft products (17% of exploitations)']}