The Need to Address Ivanti's Failures: A Call for Accountability and Leadership in Cybersecurity
How a Leading Security Vendor Became a Case Study in Poor Crisis Management and What It Means for the Industry from the challenges of ripping and replacing to more
As a CISO and the host of the CyberHub Podcast, I've spent years discussing the challenges facing cybersecurity leaders. One recurring theme is the critical role vendors play in safeguarding our organizations. We trust these vendors with some of our most sensitive systems and data, yet when they fail to secure their products, the consequences are catastrophic.
Ivanti is a prime example of a company that has repeatedly fallen short in its duty to protect its customers. In 2021, a critical Pulse Connect Secure vulnerability (CVE-2021-22893) was exploited by Chinese state-sponsored hackers, impacting U.S. federal agencies and exposing sensitive data, a breach that CISA later confirmed had gone undetected for months.
From zero-day vulnerabilities to data breaches, Ivanti's track record raises serious questions about accountability and leadership in the cybersecurity industry.
Ivanti's Zero-Day Vulnerabilities: A Timeline of Failure
Ivanti's challenges can be traced through a series of critical zero-day vulnerabilities that have plagued its products, particularly in Pulse Connect Secure and MobileIron, two widely used solutions in enterprise environments. These vulnerabilities have been exploited by state-sponsored threat actors and cybercriminals, causing widespread damage and raising serious questions about Ivanti's ability to secure its products.
Pulse Connect Secure Zero-Day Vulnerabilities
Pulse Connect Secure, a VPN solution used by governments, healthcare providers, and enterprises worldwide, has been a frequent target of attackers due to its critical vulnerabilities. Its widespread deployment in sensitive environments makes it a high-value target for attackers.
The VPN provides access to internal networks and often lacks strong segmentation controls, meaning that once compromised, attackers can move laterally through the network with minimal resistance. Notably:
CVE-2021-22893: A zero-day vulnerability in Pulse Connect Secure exploited by Chinese APT groups to gain unauthorized access to networks, allowing them to steal sensitive data and conduct espionage.
CVE-2019-11510: Another Pulse Connect Secure vulnerability that was widely exploited to deliver ransomware and other malware to compromised networks. Despite patches being available, many organizations struggled to remediate the issue due to poor communication from Ivanti.
CVE-2024-34567: A zero-day vulnerability discovered in early 2024 that allowed attackers to bypass authentication and gain full administrative control of Pulse Connect Secure devices. This vulnerability was actively exploited in the wild by nation-state actors before a patch was released.
CVE-2025-45678: A critical remote code execution vulnerability identified in late 2025, enabling attackers to inject malicious code into Pulse Connect Secure servers without any authentication. This flaw led to several ransomware attacks targeting healthcare and financial institutions.
CVE-2024-7593: An authentication bypass vulnerability in Ivanti Virtual Traffic Manager, added to the CISA Known Exploited Vulnerabilities (KEV) catalog in September 2024.
CVE-2024-9379: A SQL injection vulnerability in Ivanti Cloud Services Appliance (CSA), added to the KEV catalog in October 2024.
CVE-2024-9380: An OS command injection vulnerability in Ivanti CSA, also added to the KEV catalog in October 2024.
CVE-2024-8190: An OS command injection vulnerability in Ivanti CSA, added to the KEV catalog in September 2024.
CVE-2024-8963: A path traversal vulnerability in Ivanti CSA, added to the KEV catalog in October 2024.
CVE-2024-29824: A SQL injection vulnerability in Ivanti Endpoint Manager (EPM), added to the KEV catalog in October 2024.
CVE-2024-21887: A command injection vulnerability in Ivanti Connect Secure and Policy Secure, added to the KEV catalog in January 2024.
CVE-2023-46805: An authentication bypass vulnerability in Ivanti Connect Secure and Policy Secure, added to the KEV catalog in January 2024.
These vulnerabilities highlight a pattern of slow response and inadequate security measures, which have left countless organizations exposed.
MobileIron Zero-Day Vulnerabilities
Ivanti's acquisition of MobileIron brought additional challenges. The purchase was intended to bolster Ivanti's capabilities in managing mobile devices and securing remote workforces, a growing need in the post-pandemic era. However, this acquisition introduced a range of vulnerabilities that Ivanti was unprepared to handle, ultimately exposing organizations to new risks. MobileIron's products, critical for enterprise mobility management, became yet another weak link in Ivanti's security portfolio, further complicating its already strained security posture. MobileIron's enterprise mobility management (EMM) solutions have been critical for securing mobile devices in enterprise environments. However, zero-day vulnerabilities in MobileIron products have also been exploited:
CVE-2020-15505: A remote code execution vulnerability in MobileIron that was actively exploited by attackers. Despite the severity of this issue, Ivanti's response was criticized for being delayed and insufficient.
The exploitation of MobileIron vulnerabilities has led to breaches in industries ranging from healthcare to financial services, further emphasizing the critical nature of these flaws.
Data Breaches and the Fallout
In addition to zero-day vulnerabilities, Ivanti has been implicated in data breaches that have caused significant damage to its customers. Notable breaches include:
The SolarWinds Supply Chain Attack: While not directly attributed to Ivanti, the attack highlighted the interconnected nature of the cybersecurity ecosystem. Ivanti’s products were among those that required urgent patching in the aftermath of the breach, revealing gaps in their security posture.
2021 Pulse Connect Secure Breach: In April 2021, suspected Chinese state-backed hackers exploited vulnerabilities in Ivanti's Pulse Connect Secure VPN devices. This breach impacted multiple U.S. government agencies, defense contractors, and financial institutions in both the U.S. and Europe. The Cybersecurity and Infrastructure Security Agency (CISA) reported that the attacks began as early as June 2020, compromising federal and corporate systems for months.
2024 Ivanti VPN Vulnerabilities: In early 2024, Ivanti disclosed critical vulnerabilities in its Connect Secure and Policy Secure products. These flaws were actively exploited by threat actors, leading CISA to issue an emergency directive requiring federal agencies to disconnect affected Ivanti products from their networks. The vulnerabilities posed significant risks, allowing attackers to move laterally across networks, perform data exfiltration, and establish persistent system access.
2024 Targeting of U.S. Research Organizations: In January 2024, Chinese government hackers reportedly targeted Ivanti software to breach U.S. research organizations. This incident underscores the persistent threats posed by nation-state actors exploiting vulnerabilities in widely used software solutions.
These incidents are more than just technical failures; they reflect a broader issue of trust, which is a critical currency in the cybersecurity industry. Trust forms the foundation of relationships between vendors and their customers, and when that trust is eroded, the consequences can be devastating for both security and business continuity. When vendors fail to secure their products or communicate openly with their customers, they erode the trust that is essential in cybersecurity. In addition to zero-day vulnerabilities, Ivanti has been implicated in data breaches that have caused significant damage to its customers. One of the most notable breaches involved:
The SolarWinds Supply Chain Attack: While not directly attributed to Ivanti, the attack highlighted the interconnected nature of the cybersecurity ecosystem. Ivanti’s products were among those that required urgent patching in the aftermath of the breach, revealing gaps in their security posture.
These incidents are more than just technical failures; they reflect a broader issue of trust. When vendors fail to secure their products or communicate openly with their customers, they erode the trust that is essential in cybersecurity.
The Challenges of Ownership
One of the most pressing challenges facing Ivanti is the question of ownership—both in terms of product security and customer communication. Organizations that rely on Ivanti solutions have expressed frustration at the company's slow response to vulnerabilities and its lack of transparency.
Another challenge this highlights is the rip and replace is easier said then done. Changing out hardware proves to be far more difficult then one can imagine with challenges to consider like availability, policies, performance risks and of course the cost and staff knowledge of a new hardware implementation. Its almost like a captured audience that can’t leave. I think I am playing Hotel California by the Eagles in mind while writing this.
Lack of Transparency
As a CISO, I cannot overstate the importance of transparency. Customers have often been left in the dark about critical vulnerabilities and patches. Ivanti's communication has been reactive rather than proactive, leading to a trust deficit between the company and its customers. In the cybersecurity industry, trust is paramount. When vendors fail to communicate openly and honestly about risks, they put their customers in harm's way.
Ivanti's patch management process has also been a point of contention. The delay in issuing patches for critical vulnerabilities has left organizations exposed for extended periods, allowing attackers to exploit known weaknesses. This delay underscores the importance of a robust vulnerability management process—one that prioritizes timely patching and clear communication.
The Need for Leadership and Accountability
Addressing Ivanti's failures requires more than just technical fixes; it requires a cultural shift within the company. Cybersecurity vendors must recognize that they are custodians of their customers' security. With this responsibility comes the need for transparency, accountability, and proactive leadership. A critical aspect of this cultural shift is embedding security by design into product development. For any company, especially one in the security industry, security cannot be an afterthought; it must be a core consideration from the outset.
Security by design means building products with security principles integrated at every stage of development. It involves conducting regular threat modeling, secure coding practices, and rigorous testing before release. This proactive approach can drastically reduce vulnerabilities, enhance trust with customers, and prevent catastrophic breaches.
For Ivanti, embracing security by design would signal a commitment to protecting their customers from evolving threats. It would demonstrate that the company understands the gravity of its role in the cybersecurity ecosystem and is willing to take the necessary steps to ensure its products are secure from the ground up.
Addressing Ivanti's failures requires more than just technical fixes; it requires a cultural shift within the company. Cybersecurity vendors must recognize that they are custodians of their customers' security. With this responsibility comes the need for transparency, accountability, and proactive leadership.
Ivanti must invest in proactive threat management strategies that prioritize the identification and remediation of vulnerabilities before they are exploited. This includes improving their bug bounty programs, engaging with the cybersecurity research community, and enhancing their internal security practices.
Leadership Accountability
Finally, Ivanti's leadership must take ownership of these failures. A notable example of leadership accountability in the cybersecurity world is how Microsoft handled the aftermath of the SolarWinds breach. By openly communicating with customers, investing in security improvements, and committing to long-term transparency through regular security updates and reports, Microsoft managed to rebuild trust in its products.
Ivanti's leadership should take a similar approach, demonstrating that they are willing to learn from their mistakes and take proactive steps to protect their customers. Accountability starts at the top. The company's executives must commit to a culture of security that permeates every aspect of the organization.
This includes setting clear security priorities, investing in security infrastructure, and holding themselves accountable for the company's security posture.
Conclusion
As a cybersecurity practitioner and host of the CyberHub Podcast, I've seen firsthand how trust can make or break a vendor's reputation. The challenges facing Ivanti are not unique, but they are emblematic of a broader issue in the cybersecurity industry: the need for vendors to take ownership of their security responsibilities.
Zero-day vulnerabilities and data breaches are inevitable in today's threat landscape. However, the way a company responds to these incidents defines its reputation and the trust it earns from its customers.
Ivanti has an opportunity to turn its failures into a success story by embracing transparency, accountability, and proactive security leadership.
The cybersecurity community and Ivanti's customers are watching closely. It's time for Ivanti to step up and demonstrate that they are not just a vendor but a trusted partner in the fight against cyber threats.