Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN

Volexity describes active exploitation of two chained zero-day vulnerabilities in Ivanti Connect Secure appliances (an authentication bypass and a command-injection) enabling unauthenticated RCE; a suspected Chinese nation-state actor (UTA0178) used these to install backdoors, deploy GLASSTOKEN webshells, harvest credentials via modified JavaScript, and lateralize across networks. The report provides forensic findings, IoCs (IPs/domains), detection guidance (network/log/Integrity Checker methods), and remediation/response recommendations including applying Ivanti mitigations and collecting forensic artifacts before rebooting.