Inside the Infrastructure: Who’s Scanning for Ivanti Connect Secure?

GreyNoise observed a large spike (Jan 21–28) in reconnaissance against Ivanti Connect Secure’s /dana-na/auth/url_default/welcome.cgi (CVE-2025-0282, EPSS 93.05%). Two concurrent campaigns were identified: a high-volume, bursty cluster centered in AS213790 (Romania/Moldova) with ~34,172 sessions, and a distributed approach using ~6,000 unique IPs consistent with botnets, proxies, or multi-cloud instances; defenders are advised to patch immediately, review logs for the target path, and reassess internet exposure.