Security experts are warning companies to update their Ivanti Connect Secure and Pulse Secure VPN systems following a major rise in suspicious scanning activity. According to cybersecurity firm GreyNoise, there was a ninefold increase in scanning of Ivanti VPN appliances on April 18.
Out of 1,004 unique IP addresses recorded during the scan, 878 were labeled as either “suspicious” or “malicious.” Although no specific vulnerabilities have been officially linked to the scans, GreyNoise said such spikes often occur just before hackers begin to exploit new security flaws.
“These patterns are similar to what we’ve seen ahead of previous vulnerability disclosures,” GreyNoise said in its report. The company recommends that organizations monitor login activity more closely and improve their response plans.
The warning follows a report from Japan’s Computer Emergency Response Team (JPCERT), which confirmed that attackers are actively exploiting a serious zero-day vulnerability in Ivanti Connect Secure. The flaw, tracked as CVE-2025-0282, is being used to spread a remote access malware known as DslogdRAT.
JPCERT added that further investigation is needed to determine if these new attacks are connected to earlier intrusions linked to the China-based hacking group UNC5221, which also targeted Ivanti systems.
