top of page
Search

9 New Ivanti CVEs Across 4 Products On May 6. Storm-2561 Has the Pattern. The Clock Started Yesterday.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 day ago
  • 5 min read

May 7, 2026 · DugganUSA LLC


Ivanti released a security advisory yesterday, May 6, 2026, covering nine vulnerabilities across four product lines: Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC), and Ivanti Cloud Services Application (CSA). The combined impact reads from the advisory: privilege escalation, arbitrary file reads and writes, and remote code execution. The cumulative ceiling is full system control by an unauthenticated remote attacker.


Per Ivanti's own disclosure, none of these CVEs are known to be actively exploited in the wild as of yesterday's advisory. That qualifier is the most important word in the sentence and it has a shelf life. The Ivanti track record for the past 24 months is unambiguous: advisory-to-active-exploitation has been measured in weeks, not months, on every comparable disclosure.


This post is the patch-now-while-the-window-is-still-open call. The receipts below.



The Track Record


Three recent Ivanti CVE arcs, each measured from advisory to confirmed in-the-wild exploitation:


  • CVE-2025-0282 / CVE-2025-0283 (Ivanti Connect Secure, January 8, 2025 advisory). Mandiant identified zero-day exploitation as having begun mid-December 2024 — the exploitation actually preceded the disclosure by approximately three weeks. UNC5221, a China-nexus espionage actor, was the named operator. The advisory window was retroactive; the patch landed into an already-active campaign.

  • CVE-2025-22457 (Ivanti Connect Secure, April 2025 advisory). Confirmed exploitation by a China-linked espionage actor since mid-March 2025 — patch lagged active exploitation by approximately three weeks, again. Stack-based buffer overflow with a similar exploitation profile.

  • CVE-2026-1281 / CVE-2026-1340 (Ivanti EPMM, January 30, 2026 advisory). Pre-auth RCE on Endpoint Manager Mobile. Active exploitation observed within hours of the advisory landing; CISA mandatory remediation deadline February 1, 2026, two days after disclosure. The Shadowserver Foundation logged a spike in CVE-2026-1281 exploitation attempts in the 24 hours after public disclosure.

The consistent shape: Ivanti disclosure timing has run weeks behind active exploitation in the recent past, and where it has run ahead of it, the gap has closed within 24-72 hours of public availability of CVE details.


The May 6, 2026 advisory is the start of one of those clocks.



What Ivanti Disclosed Yesterday


The advisory covers nine CVEs across the four product lines. Ivanti's own published severity range crosses from medium to critical. The exploitation paths described in the advisory include:


  • Privilege escalation — local-attacker pathways to gain root or administrative privilege on the appliance from a low-privilege starting context.

  • Arbitrary file reads — unauthenticated or low-privilege pathways to read configuration files, credential stores, session tokens, or other sensitive on-disk artifacts.

  • Arbitrary file writes — write-primitive pathways that, in combination with file-read primitives, enable web-shell deployment, configuration tampering, and persistence.

  • Code execution — both authenticated and (per the advisory) some unauthenticated paths that allow arbitrary code execution at varying privilege levels.

The cumulative-impact statement from Ivanti's own advisory: "Exploitation of one or more of these vulnerabilities could allow a remote attacker to gain full control of affected systems."


Ivanti recommends upgrading to the latest available versions of the affected products. The advisory's own published version-matrix should be your patch-target reference; cross-check your deployed versions against it for each of the four product lines.



Storm-2561


Microsoft tracks a threat actor cluster as Storm-2561 with a documented history of targeting Ivanti edge appliances. The cluster name appears in our adversaries index alongside CVE-2026-1603 and known infrastructure (193.24.123.42 is one of the IPs cross-correlated to Storm-2561 from our STIX-ingest pipeline).


Storm-2561's operational pattern has been:


  1. Wait for Ivanti CVE disclosure

  2. Reverse-engineer the advisory or harvest public PoC from disclosure-day forums

  3. Scan internet-exposed Ivanti appliances within 24-72 hours of disclosure

  4. Drop persistence on vulnerable instances

  5. Pivot from the appliance into the network it fronts

We do not yet have public IOCs for the May 6 CVE set. The cluster's historical timing says we will have them within a week. The right posture between now and then is patch-and-hunt, in that order.



The Hunt-While-You-Patch Posture


Patching is the immediate priority. The hunt-back is the secondary priority, applicable to organizations that have run vulnerable Ivanti versions in the past quarter.


Three forensic patterns from prior Ivanti compromise campaigns that are worth running against the past 30-90 days of telemetry, regardless of whether you have specific IOCs for the May 6 CVEs yet:


Pattern one: web-shell artifacts in Ivanti Connect Secure runtime paths. Prior compromises have placed web shells in /home/runtime, /tmp, and various /var/lib paths on the appliance. The artifacts are typically PHP or compiled binaries with non-standard timestamps relative to the surrounding files. From the Ivanti CLI or via a compromise-assessment ticket with Ivanti support, audit those paths for files that do not match the expected install-time inventory.


Pattern two: anomalous outbound from the appliance. The Connect Secure VPN appliance has a well-defined egress pattern in normal operation: management updates, license server, telemetry. Anything outside that pattern — particularly long-lived TLS connections to non-vendor IP space, or HTTP requests to commodity hosting providers — is a high-confidence compromise tell. Pull 30-90 days of egress NetFlow / firewall logs filtered to the appliance's source IP and look for anything that doesn't match the steady-state baseline.


Pattern three: SAML token / session anomalies. Ivanti Connect Secure handles SAML tokens for federated authentication into the protected network. Compromised appliances have been used to mint SAML tokens for arbitrary identities, providing the operator with persistent post-exploit access even after the appliance itself is patched. Pull SAML authentication logs for the past 30-90 days and look for tokens issued for service principals or admin accounts that don't have a matching legitimate authentication event preceding them.


If any of those three patterns light up, you are in assume-breach mode for the Ivanti appliance and the network it fronts.



What's Different This Time


Two factors make this advisory cycle distinct from the recent Ivanti pattern:


Ivanti got ahead of exploitation publicly. Per the advisory's own language, no active exploitation is known as of disclosure. This is the inverse of CVE-2025-0282, where exploitation preceded disclosure by weeks. If Ivanti's intelligence is correct and the disclosure is genuinely ahead of operator awareness, defenders have a window — likely measured in days to a week — that the historical pattern did not provide.


Nine CVEs across four products is a lot of attack surface for an operator to triage. Storm-2561 (and similar clusters: APT41-adjacent, UNC5221) will need to choose which CVEs to weaponize first. The first weaponized CVE in the cluster is typically the one with the lowest exploitation complexity and the highest privilege payoff. Reading the Ivanti advisory carefully and prioritizing the CVEs that match that profile is a way to prioritize your patching: the ones you should patch first are the ones the operators will weaponize first.



Summary For The Patch-Window Person


Three actions, in order:


  1. Inventory. Pull every running version of Ivanti Connect Secure, Policy Secure, Secure Access Client, and Cloud Services Application across your fleet. Cross-reference against the version matrix in the May 6 advisory.

  1. Patch. Schedule maintenance windows for the affected appliances. The exploitation clock starts at disclosure; every day of unpatched exposure increases the likelihood of compromise.

  1. Hunt back 30-90 days. Web-shell artifacts in runtime paths, anomalous appliance egress, SAML-token anomalies. If you find any, you are in assume-breach mode for the network behind that appliance, regardless of whether you patch tonight.

The Storm-2561 cluster has the operational pattern. The May 6 advisory just started the next cycle. Patch before the public PoCs land and before the exploitation telemetry begins to confirm the pattern again.



Receipts


  • Ivanti Security Advisory (May 6, 2026): hub.ivanti.com — covers nine CVEs across ICS, IPS, ISAC, CSA

  • Kudelski Security Research analysis: kudelskisecurity.com/research/ivanti-ics-ips-isac-csa-multiple-vulnerabilities-disclosed-and-patched

  • Storm-2561 cluster (Microsoft naming): documented in our adversaries index alongside cross-correlated IP 193.24.123.42 and CVE-2026-1603

  • Track-record references:

  • Our STIX feed: analytics.dugganusa.com/api/v1/stix-feed

— Patrick Duggan DugganUSA LLC, Minneapolis


Aye.




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page