What happened
CISA added an Ivanti Connect Secure remote-code-execution issue to its Known Exploited Vulnerabilities (KEV) catalog and set a short federal remediation deadline under BOD 22-01. A KEV addition means CISA has enough evidence that the vulnerability is being exploited in real environments.
Why this matters
Ivanti Connect Secure is often exposed at the network edge and used for remote access. When edge devices are actively exploited, attackers can gain an initial foothold quickly and then move deeper into internal systems.
How to check if you’re affected
You may be affected if you run Ivanti Connect Secure on versions listed as vulnerable in the vendor advisory (affected versions: the Ivanti advisory’s vulnerable builds; fixed versions: Ivanti’s patched builds) and your instance is reachable from the internet.
- Identify all Ivanti Connect Secure appliances and confirm current versions.
- Compare installed versions against Ivanti’s fixed-version guidance.
- Apply the vendor patch/mitigation immediately on affected systems.
- Review authentication logs, admin changes, and unusual VPN/session activity since the disclosure window.
- Hunt for signs of post-compromise activity (new admin accounts, suspicious scripts, unusual outbound traffic).
Immediate defensive actions
- Restrict management access and admin interfaces to trusted IPs only.
- Enforce MFA for remote access and administrative logins.
- Rotate privileged credentials after patching if compromise is suspected.
- Keep continuous monitoring on edge-device logs for at least several days after remediation.
Sources
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog (primary source)
- https://www.cisa.gov/binding-operational-directive-22-01 (primary source)
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure (primary source)
Bottom line
A KEV listing is an operational warning, not just another CVE entry. If Ivanti Connect Secure is in your environment, validate version status and patch priority now.