VPN flaws allowed Chinese hackers to compromise dozens of Ivanti customers, says report

In February 2021, enterprise software firm Ivanti learned that Chinese hackers had infiltrated the network of Pulse Secure — a subsidiary that sold VPN appliances to dozens of businesses and government bodies worldwide — according to new reporting from Bloomberg.

Bloomberg says the intruders exploited existing weaknesses in Pulse Secure’s VPN software to deploy a backdoor, citing Ivanti’s former chief security officer and other sources. That foothold allegedly enabled the hackers to reach 119 additional organisations that used the same VPN product, though those entities were not named in the report.

Mandiant was said to be aware of the activity as well, with the security firm reportedly warning Ivanti that attackers had used the vulnerability to breach military contractors in both Europe and the United States.

The newly detailed incident is presented as another example of how mergers, layoffs, and private-equity-driven cost reductions can undermine the reliability and security of a company’s most important technologies. After private investment firm Clearlake Capital Group bought Ivanti in 2017, Bloomberg reported that the company underwent rounds of cuts — especially in 2022 — that affected staff with deep institutional knowledge of Ivanti’s products and their security posture.

Ivanti spokesperson Carrie Laudie challenged Bloomberg’s account and said there was “never a backdoor planted by hackers in Connect Secure.”

Mandiant did not respond to a request for comment.

Bloomberg’s reporting aligns with earlier coverage of another remote-access provider, Citrix, which carried out large-scale layoffs following a 2022 acquisition by Elliott Investment Management and Vista Equity Partners. Like Ivanti, Citrix has faced a series of cybersecurity incidents and serious vulnerabilities in recent years.

Ivanti’s VPN products have also been tied to at least two other significant attacks since then.

In early 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) directed all federal agencies to disconnect Ivanti VPN appliances within 2 days, citing active exploitation of vulnerabilities that Ivanti was unaware of at the time. Ivanti also warned customers last year that attackers were exploiting another critical flaw in its Connect Secure product to break into corporate environments.