Critical Ivanti VPN Vulnerability Actively Exploited in the Wild

CISA has issued an emergency directive urging all federal agencies to patch or disconnect Ivanti Connect Secure VPN appliances after a critical zero-day vulnerability (CVE-2026-0178) was discovered under active exploitation.

What Happened

Security researchers at Mandiant identified the vulnerability during an incident response engagement. The flaw allows unauthenticated remote code execution through a specially crafted SAML assertion, giving attackers full control of the VPN gateway.

Impact

• CVSS Score: 10.0 (Critical)
• Affected Versions: Ivanti Connect Secure 22.x through 24.x
• Exploitation: Confirmed active exploitation by APT groups linked to nation-state actors
• Scale: Over 30,000 exposed instances identified via Shodan

Recommended Actions

1. Apply the emergency patch released by Ivanti immediately
2. Run Ivanti's Integrity Checker Tool (ICT) to detect compromise
3. Review VPN logs for anomalous SAML authentication events
4. Rotate all credentials that may have traversed the VPN
5. Enable enhanced monitoring on VPN gateway endpoints

Timeline

| Date | Event | |------|-------| | Feb 18, 2026 | Mandiant discovers vulnerability during IR | | Feb 20, 2026 | Ivanti notified through coordinated disclosure | | Feb 23, 2026 | Emergency patch released | | Feb 24, 2026 | CISA issues Emergency Directive ED-26-02 |

Organizations should treat this as a high-priority patching event and validate that their Ivanti appliances are not already compromised before applying the patch.