A nine-fold spike in suspicious scanning activity was detected recently.
Organisations using Ivanti Connect Secure and Pulse Secure VPN systems have been urged to update their instances following a ninefold increase in suspicious IP scanning activity.
According to research by Greynoise, there was a nine fold spike in suspicious scanning activity targeting Ivanti Connect Secure (ICS) or Ivanti Pulse Secure (IPS) VPN systems on April 18th.
Reported by The Register, of the 1,004 unique IPs that scanned Ivanti VPN appliances, 878 were either "suspicious" or "malicious.”
"While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation,” GreyNoise said. “GreyNoise has previously observed similar patterns in the lead-up to the public discovery of new vulnerabilities."
Such findings come as Japan's Computer Emergency Response Team reported attacks exploiting the critical Ivanti Connect Secure zero-day, tracked as CVE-2025-0282, have been deployed to facilitate compromise with the DslogdRAT malware. Additional investigation is needed to establish an association between the attacks and China-linked UNC5221's intrusions against Connect Secure instances earlier this year, said JPCERT.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
