Covert TLS n-day backdoors: SparkCockpit & SparkTar

NVISO identified two previously undetected, TLS-intercepting backdoors—SparkCockpit and SparkTar—on Ivanti Pulse Secure appliances exploited via CVE-2023-46805 and CVE-2024-21887; the implants provide stealthy selective TLS interception, remote command execution, file upload and SOCKS tunneling (potentially enabling full internal network access), with SparkTar exhibiting extreme persistence (surviving factory resets and upgrades).