Ivanti VPNs See Major Surge in Scanning Activity

A sharp increase in scanning activity targeting Ivanti’s Connect Secure and Pulse Secure VPNs is raising concerns among security researchers, reports The Register. According to GreyNoise, the volume of unique IP addresses scanning Ivanti systems jumped by 800 percent on April 18, a pattern often associated with early reconnaissance ahead of new vulnerability disclosures or exploitation attempts. This spike concentrated nearly a quarter of the total scanning activity recorded over the past three months into a single day.

The broader context around Ivanti highlights why these scans are being closely watched. Connect Secure has faced repeated attacks over the past two years, with zero-day vulnerabilities exploited by threat actors, including state-linked groups. In January 2025, two new vulnerabilities were discovered, with active exploitation confirmed even before public disclosure. This history of exposure makes Ivanti VPNs a consistent target for attackers seeking to compromise enterprise remote access infrastructure.

While there are no confirmed new vulnerabilities tied to the current surge, GreyNoise categorized a large portion of the scanning IPs as suspicious or malicious. The firm advises organizations to monitor their VPN endpoints closely, apply the latest patches, and investigate any unusual login attempts. Ivanti has reiterated that customers should move away from older, unsupported versions like Pulse Secure and Connect Secure 9.1 Rx to reduce risk.

Given the timing and scale of the activity, organizations relying on Ivanti remote access solutions should remain cautious. Past incidents have shown that early reconnaissance can quickly escalate into widespread exploitation. Until more information becomes available, maintaining strong patching hygiene and monitoring for signs of compromise remain critical defensive steps.