Cyber Security, Insights, Ransomware

When patching isn’t enough: appliance-resident malware in Ivanti Connect Secure intrusions

9th March 2026
server appliance in data centre

Edge security appliances have become one of the most attractive entry points for attackers. Devices designed to protect organisations, including VPN gateways, remote access platforms and identity infrastructure, are now routinely targeted because they sit at the intersection of internet exposure and privileged network access.

If you are reading this because you have experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

Over the past several years, repeated vulnerabilities affecting Ivanti Connect Secure and similar remote access appliances have demonstrated how quickly a single exposed device can become a gateway into an organisation’s wider environment. Once compromised, these systems can provide attackers with privileged access to internal infrastructure and identity services.

Public advisories have highlighted vulnerabilities such as CVE-2025-0282 and CVE-2025-22457, both of which allow remote attackers to gain control of affected appliances. The concern is not simply the vulnerability itself, but how organisations respond to it. When internet-facing security appliances are compromised, attackers often use that initial foothold to move deeper into the environment.

In practice, compromise of a remote access gateway can provide attackers with a pathway into the wider network.

Threat analysis

The attack chain observed in these incidents typically begins with exploitation of an internet-facing vulnerability that allows remote code execution.

One such example is CVE-2025-0282, a critical vulnerability affecting Ivanti Connect Secure and related products that enables unauthenticated remote code execution on exposed appliances. This issue was disclosed alongside CVE-2025-0283, a privilege escalation vulnerability that can be used to expand attacker access once initial entry is achieved.

In attacks involving exposed VPN infrastructure, attackers commonly begin with reconnaissance to identify vulnerable systems. This can involve scanning for exposed login portals or requesting version-specific files within the /dana-cached/hc/ directory in order to identify the precise appliance build deployed by the organisation.

Once access is obtained, attackers often attempt to establish persistence and evade detection. Observed activity in investigations of compromised appliances has included actions such as:

  • disabling security controls such as SELinux

  • blocking outbound logging using firewall rules

  • remounting the appliance filesystem with write permissions

  • deploying web shells for persistent access

  • modifying log files to remove evidence of compromise

In some cases, attackers have deployed malware capable of operating directly within the appliance environment. Such implants may enable covert access, tunnelling traffic into internal networks or acting as a proxy platform for further activity.

While these scenarios are not universal, they demonstrate the level of control attackers can achieve once a remote access appliance has been compromised.

Security weakness

The success of these campaigns highlights a persistent defensive blind spot.

Perimeter appliances are often treated as network infrastructure, yet attackers compromise them as if they were endpoints. Unlike endpoints, however, these devices rarely benefit from the same level of telemetry, monitoring or threat detection.

Many organisations approach vulnerabilities in these systems primarily through patch management. However, vendor advisories frequently require additional remediation steps beyond installing an update.

For example, Ivanti’s security advisory for CVE-2025-0282 and CVE-2025-0283 explicitly recommends performing a factory reset of affected appliances to ensure that any malicious modifications or malware are removed from the system.

This highlights the difference between patch management and vulnerability management. Installing a patch closes the vulnerability, but it does not necessarily address actions attackers may already have taken while the vulnerability was exploitable.

Industry impact

For UK organisations, the implications are significant.

Remote access infrastructure often provides privileged access to internal networks, identity systems and administrative services. As a result, compromise of a single VPN appliance can quickly escalate into a wider security incident affecting multiple systems.

Recent incidents involving other security platforms demonstrate how incomplete remediation can lead to serious consequences. The compromise of the MySonicWall platform illustrated how organisations that applied patches but failed to reset credentials or complete other remediation steps remained exposed to attackers. In some cases, this led to follow-on ransomware incidents.

Because remote access appliances sit at the boundary between external users and internal infrastructure, attackers frequently use them as an initial access vector before attempting lateral movement into servers, identity systems or backup environments.

In many ransomware investigations, attackers are found to have gained their initial foothold through vulnerabilities in externally exposed infrastructure.

Defensive lessons

Defending against these threats requires treating vulnerabilities in exposed appliances as security incidents, not simply patch management tasks.

Effective remediation requires a vulnerability management approach that considers the full lifecycle of the issue, including investigation, remediation and verification.

Several defensive priorities emerge from publicly reported incidents.

Contain and validate

If exploitation is suspected, organisations should isolate the appliance where possible and validate its integrity using available tools and published indicators of compromise.

Follow vendor remediation guidance

Where vulnerabilities affect remote access appliances, vendor guidance should be followed closely. For vulnerabilities such as CVE-2025-0282, Ivanti recommends rebuilding affected appliances and performing a factory reset to ensure any malicious modifications are removed.

Reset trust

Credentials, certificates and API keys associated with the appliance should be rotated as part of recovery. Attackers with access to the device may have harvested authentication material used by administrators or connected services.

Hunt beyond the appliance

Investigations should extend beyond the gateway itself. Attackers who gain access to remote access infrastructure often attempt lateral movement into internal systems, particularly those containing sensitive data or administrative credentials.

Reduce opportunities for re-entry

Organisations should review the exposure of remote access appliances, restrict unnecessary external access and ensure strong monitoring of authentication activity.

Conclusion

Vulnerabilities affecting internet-facing security appliances highlight a broader challenge for organisations: effective vulnerability management requires more than simply applying patches.

Security teams must evaluate vendor guidance, determine appropriate remediation steps and verify that attackers have not already gained access to the system.

As long as remote access infrastructure remains central to enterprise connectivity, attackers will continue to target these platforms as a route into corporate networks. In many cases, vulnerabilities in edge infrastructure provide the initial foothold for wider compromises, including ransomware attacks.

Staying ahead of these threats requires organisations to continuously monitor vulnerabilities affecting critical infrastructure, assess their potential impact and implement a coordinated response when new issues emerge.

This is where dedicated expertise becomes essential. Understanding which vulnerabilities matter, determining the correct remediation steps and ensuring systems are properly secured requires ongoing attention and technical insight.

Sources