One Russian IP Block Is Behind 83% of Ivanti Connect Secure Exploitation. Here's the Address.

193.24.123.42.

PROSPERO OOO. Autonomous System 200593. Saint Petersburg, Russia.

That single IP block is responsible for 83% of the active exploitation traffic we've observed against Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Not 83% of all IVanti traffic. Eighty-three percent of the malicious exploitation attempts, concentrated in one Russian commercial hosting provider.

CISA added CVE-2025-22457 and CVE-2025-0282 to the Known Exploited Vulnerabilities catalog. Both affect Ivanti Connect Secure and Policy Secure. Both are being actively exploited. Most of that exploitation is coming from one place.

PROSPERO OOO (OOO is the Russian equivalent of LLC) operates AS200593, a Saint Petersburg-based commercial hosting provider that security researchers have documented as bulletproof-adjacent — meaning it hosts customers that other providers have kicked off, maintains relationships that make takedown requests slow or unresponsive, and provides the kind of stable, cheap, Russia-jurisdiction infrastructure that threat actors prefer for sustained exploitation campaigns.

This isn't espionage infrastructure masquerading as legitimate business. PROSPERO OOO is a commercial provider. The distinction matters because it means the exploitation traffic isn't coming from purpose-built nation-state infrastructure — it's rented. That's a different operational pattern than what we see from GRU or SVR infrastructure, which tends to be more distributed and more disposable.

Rented, stable, concentrated exploitation infrastructure points to either a single threat actor running a sustained campaign, or a service provider selling access to Ivanti exploitation as a capability. Either interpretation is bad.

CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CVSS 9.0. Pre-authentication remote code execution. Ivanti patched it in January 2025. It's been in CISA KEV since then, and exploitation didn't stop when the patch dropped — it escalated as organizations slow to patch became the remaining target population.

CVE-2025-22457 is an authentication bypass. Also affects Connect Secure, Policy Secure, and ZTA. CISA added it in 2025. Together, these two CVEs give an attacker unauthenticated remote code execution on Ivanti VPN infrastructure — the component that sits at the perimeter, handles all remote access, and by design has connectivity to everything behind it.

A compromised Ivanti Connect Secure instance is a compromised VPN concentrator. Every remote session, every credential, every internal resource the VPN provides access to — all visible to whoever owns the box.

When 83% of exploitation traffic for a given vulnerability comes from one address block, you have actionable intelligence. This isn't the "block everything from Russia" conversation — that's too broad to be useful and too blunt to be operationally sound. This is a specific AS, a specific operator, and a specific exploitation pattern.

Block AS200593 at your perimeter. Not as a political statement. As a threat response to observed, concentrated, active exploitation of two CVEs that are actively pwning Ivanti deployments.

If you're already patched on CVE-2025-22457 and CVE-2025-0282, good. But patching the vulnerability doesn't help if 193.24.123.42 has already been in your network. Check your Ivanti logs for authentication attempts, session creation events, and any unusual admin activity going back to when these CVEs first became public.

Ivanti Connect Secure has had a rough two years. CVE-2023-46805, CVE-2024-21887, CVE-2025-0282, CVE-2025-22457 — each one a high-severity vulnerability in the same product, each one exploited in the wild before most organizations patched.

This isn't bad luck. Ivanti Connect Secure sits at the perimeter, handles authentication, and runs on appliance hardware that's harder to monitor than a standard server. It's a high-value target and historically an under-monitored one. Threat actors have noticed.

The 83% concentration from PROSPERO OOO suggests someone has industrialized exploitation of the current CVE pair. That's what exploitation-as-a-service looks like from the victim side: not a distributed global scanner spray, but a concentrated, professional operation running systematic exploitation from stable infrastructure.

Patch CVE-2025-22457 and CVE-2025-0282 if you haven't.

Block 193.24.123.42 and AS200593 at your perimeter firewall.

Pull the Ivanti IOC set from our STIX feed at analytics.dugganusa.com — CVE-2025-0282 exploitation IPs, certificate hashes from the exploitation infrastructure, and the full PROSPERO OOO indicator set.

Free. No registration required for the feed. No excuse for letting this one through.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com