THREAT ALERT: Ivanti Connect Secure VPN Zero-Day Exploitation

Cybereason reports active exploitation of multiple Ivanti Connect Secure/Policy Secure zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887, and later CVEs) that enable unauthenticated authentication bypass, RCE, privilege escalation and SSRF on Internet-facing VPN appliances; observed post-exploitation includes webshells (LIGHTWIRE, WIREFIRE, CHAINLINE, etc.), the WARPWIRE JavaScript credential harvester, coinminers, credential dumping and lateral movement, with attribution to suspected UNC5221 and widespread automated abuse — the report also provides IOCs and mitigation/hardening guidance.