Chinese state-linked hackers leveraged vulnerabilities in Ivanti’s VPN technology to infiltrate dozens of customer networks, according to a new investigation that traces a silent, far-reaching campaign back to a hidden backdoor in Pulse Secure software. The operation, detailed by Bloomberg and corroborated by incident responders, reportedly touched at least 119 organizations and included sensitive targets such as military contractors.
Security firm Mandiant warned Ivanti during the response, the report notes, underscoring how widely the intrusion spread through shared infrastructure. Ivanti and Mandiant did not respond to requests for comment, but the findings align with years of mounting evidence that VPN appliances have become prime beachheads for well-resourced adversaries.
What the Bloomberg report reveals about Ivanti breaches
The investigation describes an operation in which Chinese operators seeded a covert backdoor inside Pulse Secure VPN software, a product line owned by Ivanti, and then used those compromised gateways to pivot into customer environments. From a single supplier touchpoint, attackers reportedly gained access to 119 other organizations using the same product, a hallmark of the “island hopping” strategy frequently seen in state-backed campaigns.
Sources cited in the report include Ivanti’s former chief security officer and incident responders who say the intrusions reached both European and U.S. defense contractors. The breadth of compromise reinforces a lesson the security community has emphasized for years: edge devices that terminate encrypted traffic and authenticate users are among the most valuable assets to protect—and the most damaging to lose.
A pattern of exploited VPN appliances across vendors
Ivanti’s edge products have drawn urgent government attention before. The U.S. Cybersecurity and Infrastructure Security Agency ordered federal agencies to disconnect affected Ivanti Connect Secure appliances within two days during a wave of mass exploitation, saying adversaries were chaining previously unknown flaws to gain initial access. Ivanti later warned that attackers were actively abusing a critical vulnerability in Connect Secure to hit corporate networks.
Rival providers have faced similar crises. Citrix, after significant restructuring by private investors, wrestled with a series of critical bugs that fueled widespread attacks—including the high-profile CitrixBleed issue. The common thread is not a single vendor, but the strategic value of VPN and remote-access gear as an initial intrusion vector.
Private Equity Pressures And Security Debt
Bloomberg’s reporting also points to organizational headwinds. After Ivanti was acquired by Clearlake Capital Group, the company went through rounds of cuts, especially in engineering and product-security roles with deep institutional knowledge. Former employees said those reductions weakened code review, slowed secure development practices, and complicated incident response—classic “security debt” that accumulates when cost controls outpace risk management.
Similar dynamics have played out elsewhere in enterprise software, where private equity deals aim to streamline operations but can inadvertently erode the very controls needed to ship secure products and ship patches quickly. When the product is a perimeter device that validates identities, the margin for error is razor-thin.
How the intrusions worked across Ivanti VPN appliances
While the Bloomberg account centers on a planted backdoor, the broader playbook for compromising VPN appliances is familiar. Attackers seek unauthenticated or privilege-escalation flaws to reach the device, deploy web shells or backdoors for persistence, harvest credentials and session tokens, and then move laterally via legitimate remote management tools. Because many appliances run custom operating systems with limited logging by default, defenders often lack the telemetry to reconstruct what happened without a full rebuild.
In previous Pulse Secure cases documented by incident responders, adversaries used tailored malware and tampered configuration files to survive reboots and blend in with normal admin activity. The tradecraft is intentionally quiet, emphasizing long-term access over noisy data theft in a single burst.
What customers should do now to mitigate Ivanti risks
Organizations running Ivanti Connect Secure or related Pulse Secure products should assume targeted interest and follow emergency guidance issued by national cyber authorities. That typically includes:
- Disconnecting and rebuilding devices from a known-good image or replacing them outright
- Revoking and reissuing SSO and SAML certificates
- Rotating all admin and service credentials
- Hunting for anomalous access across identity providers, VPN logs, and endpoint telemetry
Longer term, harden management interfaces behind dedicated jump hosts, enforce phishing-resistant multifactor authentication, and adopt zero trust network access to reduce reliance on traditional VPN concentrators. Apply patches quickly, but also plan for the reality that unknown flaws can be chained: continuous monitoring, strict egress controls from appliances, and rapid certificate and key rotation are essential when the perimeter itself is in play.
The reported campaign against Ivanti customers is another reminder that security at the edge is only as strong as the processes—and people—behind it. When attackers target the login box, resilience depends on more than a patch; it depends on the organization’s ability to change how that box is built, monitored, and trusted.
