Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways

CISA and partner agencies warn that threat actors are actively exploiting multiple Ivanti Connect Secure and Ivanti Policy Secure vulnerabilities to achieve unauthenticated RCE, deploy web shells (e.g., GLASSTOKEN, GIFTEDVISITOR, BUSHWALK, LIGHTWIRE, CHAINLINE), harvest AD credentials, and establish root-level persistence that can survive factory resets while evading Ivanti’s Integrity Checker; the advisory includes IOCs, YARA rules, detection and incident response guidance, and strong mitigations including assuming compromise, rotating credentials, hunting for malicious activity, and applying patches or considering device decommissioning.