Ivanti Connect Secure Incident Response Investigation: From exploitation to evidence collection

The exploitation of Ivanti vulnerabilities can be traced back to research presented by Orange Tsai and Meh Chang at Black Hat USA 2019. Their blog, “Infiltrating Corporate Intranet Like NSA”, demonstrated pre-auth Remote Code Execution (RCE) exploit chains targeting leading SSL VPNs including Pulse Secure (now Ivanti Connect Secure). This groundbreaking research exposed fundamental security flaws in enterprise SSL VPN solutions that corporations trust to protect their most critical assets.

In this blog post, we will explore the evolution of Ivanti Connect Secure vulnerabilities, from the initial research that sparked widespread exploitation to the latest CVE-2025-0282 and provide detailed step-by-step forensic investigation techniques for security teams dealing with potentially compromised appliances.

Why is Ivanti Connect Secure forensic investigation so challenging?

Performing forensic investigations on Ivanti Connect Secure devices is a very challenging incident response engagement, as it requires specialized techniques to overcome the appliances’ hardened architecture and encrypted storage design. Modern Ivanti Connect Secure versions implement Full-Disk Encryption (FDE) for data-at-rest using Linux Unified Key Setup (LUKS), which prevents traditional forensic imaging approaches.

The investigation process involves bypassing security controls implemented by Ivanti, extracting encrypted filesystems, and decrypting evidence using specialized tools and techniques. This can be achieved using various methods, including LILO bootloader exploitation, GRUB recovery access, and Integrity Checker Tool (ICT) snapshot analysis.

Forensic investigation of Ivanti devices can be particularly effective in detecting sophisticated attacks where threat actors have deployed custom web shells, modified system configurations, or established persistent access mechanisms. In these cases, the investigation will often reveal evidence of command-and-control (C2) communications, lateral movement activities, and data exfiltration attempts. By extracting and analyzing encrypted filesystems, it may be possible to identify the full scope of compromise and reconstruct attack timelines.

Why are Ivanti Connect Secure forensic investigations required?

With a surge in sophisticated attacks against SSL VPN appliances — underscored by recent high-severity vulnerabilities like CVE-2025-0282 and CVE-2024-22024 — Ivanti Connect Secure devices have become prime targets. As critical gateways to corporate networks, VPN appliances hold elevated trust and broad access, making them invaluable to attackers seeking initial footholds, lateral movement, and data exfiltration. Detailed investigation is essential not only to uncover possible hidden web shells and configuration tampering but also to map C2 communications, trace lateral jumps, and reconstruct breach timelines before threat actors leverage the VPN’s privileged position to compromise further within the enterprise.

Example: CVE-2025-0282 Stack-Based Buffer Overflow

One notable example of a vulnerability that requires comprehensive forensic investigation is the CVE-2025-0282 stack-based buffer overflow in Ivanti Connect Secure appliances. This vulnerability was discovered and publicly analyzed by watchTowr Labs in their detailed exploitation walkthrough, which highlighted the unsafe use of strncpy() when processing the clientCapabilities parameter, resulting in out-of-bounds writes and unauthenticated Remote Code Execution (RCE).

The flaw exists in the ‘/home/bin/web’ binary and can be triggered during Ivanti’s proprietary IF-T connection handling, a custom transport mechanism used by the appliance to manage VPN and web-based client communications prior to full session establishment. Because IF-T operates before user authentication and processes complex, client-supplied capability data, it represents a high-risk attack surface. WatchTowr Labs documented advanced exploitation techniques required for reliable code execution, including VTable hijacking, stack pivoting, ASLR bypass, and Return-Oriented Programming (ROP) chains.

Example: CVE-2024-22024 XML External Entity Injection

Another critical vulnerability discovered by watchTowr Labs is CVE-2024-22024, an XML External Entity (XXE) injection in SAML components. This issue was introduced during Ivanti’s previous remediation for SSRF vulnerabilities and affects multiple SAML endpoints, enabling remote file retrieval and potential server-side request forgery.

Recent exploitation trends

Further recent research by Northwave Security and Volexity has uncovered additional critical vulnerabilities and exploitation artifacts:

• CVE-2023-46805: Authentication bypass in web components, discovered by Volexity during threat hunting operations.
• CVE-2024-21887: Command injection for authenticated administrators, actively exploited by APT groups to deploy web shells such as GIFTEDVISITOR across global enterprise networks.

Possible working forensic investigations methods

Method 1: LILO-based appliance forensic methodology 

LILO (Linux loader) is one of the earliest boot loader used on Linux systems. Before GRUB became the standard in most Linux distributions, LILO was widely used as a conventional bootloader.

The following are the specific detailed steps that can be used to conduct forensic investigations of Ivanti Connect Secure appliances that utilize the legacy LILO bootloader as part of their startup and protection mechanisms:

Prerequisites and preparation

• Hardware requirements: Serial console access via rollover RJ45 connector, network connectivity for evidence exfiltration.
• Software requirements: QEMU (Quick Emulator, an open-source virtualization tool) for disk virtualization (if working with imaged disks), netcat for network data transfer. Netcat (often abbreviated as nc) is a powerful command-line networking utility used to read and write data across network connections using TCP or UDP protocols. It is widely known as the “Swiss Army knife” of networking because of how versatile and lightweight it is.
• Network setup: Separate forensic collection host on IP 192.168.0.1, target appliance configured on IP 192.168.0.2.

Step 1: System preparation and access

For live system analysis, connect the serial console using a rollover RJ45 connector.

If the hard disk of the Ivanti ICS has been imaged, the imaged disks can be virtualized by using QEMU using the following command:

qemu-system-x86_64 -serial stdio -device ich9-ahci,id=ahci -drive file=ivanti-backup.img,id=disk,if=none -device ide-hd,drive=disk,bus=ahci.0

Step 2: Bootloader exploitation

At the LILO prompt, bypass the hardcoded blocklist and boot with shell access:

current init=//bin/sh debug verbose=5

The double slash (//) is critical as it bypasses the hard coded security restrictions implemented in the bootloader. This results in root‑level shell access within the early userspace of the active system image, prior to normal security controls being enforced. At this stage, the encrypted partitions are not yet automatically mounted, but the shell has sufficient privileges to load kernel modules, initialize networking, and manually access or extract encrypted block devices for forensic analysis. 

Step 3: Network driver initialization

Load the appropriate network interface driver for your appliance hardware:

/sbin/insmod/$kernel-version/modules/igb.ko
Replace $kernel-version with the actual kernel version identified during boot process.

Step 4: Network interface configuration

Configure the internal network interface of the Ivanti Connect Secure appliance (typically eth1 corresponds to the interface labeled int):

/sbin/ifconfig eth1 192.168.0.2 netmask 255.255.255.0

Step 5: Collection host preparation

On your forensic collection host with IP 192.168.0.1, start a netcat listener to receive a raw byte-for-byte copy of the encrypted block device (partition image) streamed from the Ivanti Connect Secure appliance: 

nc -lvnp 4444 > encrypted_filesystem.img  

The switches lvnp stands for:
•    l = Listen mode
•    v = Verbose output
•    n = Numeric address only (Skip DNS resolution)
•    p = Port number

Step 6: Proc filesystem mounting

Mount the proc filesystem to access system information:
mount -t proc none /proc

Step 7: Loop device identification

Identify available loop devices that may contain the encrypted partitions:

grep loop /proc/partitions

This command will show available loop devices (e.g., loop6, loop7).  A loop device is a Linux mechanism that maps a file, or a disk-backed region, to a virtual block device (e.g., /dev/loop6). This allows the operating system to treat encrypted partitions, disk images, or filesystem containers as if they were physical disks, enabling low-level operations such as imaging, mounting (after decryption), and forensic analysis.

Step 8: Encrypted partition extraction

Extract the identified encrypted partition (e.g., loop6, loop7) over the network:

dd if=/dev/loop6 bs=1M > /dev/tcp/192.168.0.1/4444

Step 9: Additional partition mapping

For comprehensive forensic analysis, extract additional partitions using the command losetup. The losetup command is used to configure, attach, detach, and inspect Linux loop devices. In forensic workflows, it allows investigators to manually associate specific disk partitions or offsets with loop devices, enabling controlled access to encrypted or non-standard filesystem layouts for extraction and analysis. In our case the partitions were mapped as follows:

losetup /dev/loop20 /dev/sda6  # Current kernel root
losetup /dev/loop21 /dev/sda7  # Current kernel usr
losetup /dev/loop22 /dev/sda12 # Current kernel home
losetup /dev/loop23 /dev/sda8  # Rollback kernel root
losetup /dev/loop24 /dev/sda9  # Rollback kernel usr
losetup /dev/loop25 /dev/sda13 # Rollback kernel home

Ivanti decryption methodology

Northwave researchers described how Ivanti Connect Secure encrypts each disk sector using a single secret key. For each sector, it creates an initialization value by taking the corresponding sector number and adding eight zero bytes. To decrypt the data, it first mixes the encrypted data with the decrypted initialization value, then decrypts it using the AES algorithm, and finally mixes the result again with the initialization value. Each sector can be decrypted on its own, so investigators can read the data one sector at a time if they have the key. The logical implementation as described by Northwave researchers is provided below:

from Crypto.Cipher import AES

def xor(s1, s2):
    return bytes([c1 ^ c2 for c1, c2 in zip(s1, s2)])

def ivanti_decrypt(key, sector, data):
    cipher = AES.new(key=key, mode=AES.MODE_ECB)
    
    def decrypt_block(iv):
        pre_iv = cipher.decrypt(iv)
        for i in range(0, len(data), 16):
            ciphertext = xor(data[i:i+16], pre_iv)
            plaintext = cipher.decrypt(ciphertext)
            yield xor(plaintext, iv)
            iv = ciphertext
    
    iv = sector.to_bytes(length=16, byteorder='little')
    return b''.join(decrypt_block(iv))

Decrypting the extracted partitions

Once the filesystem images are extracted from the appliance, they can be decrypted using the decryption logic and kernel-specific AES keys implemented in Northwave’s lilo pulse secure decrypt tool using the following provided commands:
git clone https://github.com/NorthwaveSecurity/lilo-pulse-secure-decrypt

cd lilo-pulse-secure-decrypt

python3 dsdecrypt.py /path/to/encrypted_partition.img decrypted_output.img

In the next part of the Ivanti blog series, we will explore methods for extracting and decrypting images directly from the GRUB bootloader. This process involves obtaining a shell from the GRUB bootloader, extracting the LUKS keys, decrypting the image using those keys, and finally mounting the decrypted filesystem.

Resources

This forensic investigation guide and vulnerability analysis incorporates research and tools developed by:

Ivanti/Pulse secure vulnerability research

watchTowr Labs – Exploitation Walkthrough and Techniques: Ivanti Connect Secure RCE (CVE-2025-0282)

https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-20…

watchTowr Labs – CVE-2024-22024 (SAML XXE) Analysis

https://labs.watchtowr.com/are-we-now-part-of-ivanti/

Volexity – Active exploitation of Ivanti Connect Secure VPNs

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-ivanti-connect-secure-vpn/

Volexity – CVE-2023-46805 Authentication Bypass: https://www.cve.org/CVERecord?id=CVE-2023-46805

Northwave Security – Ivanti/Pulse Secure forensic tooling and analysis: https://northwave-cybersecurity.com/whitepapers-articles/investigating-a-possible-ivanti-compromise
 
Black Hat and historical context

Orange Tsai & Meh Chang – Infiltrating Corporate Intranet Like NSA (Black Hat USA 2019)

https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-16202

https://www.youtube.com/watch?v=mKGq8z17Kd4
 
Web Shell References

https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-china-chopper-web-shell-part-i

https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-the-china-chopper-web-shell-part-ii

Volexity – GIFTEDVISITOR Web Shell and Ivanti Exploitation: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

Independent researchers (Stephen Murcott): https://github.com/stephen-murcott/Ivanti-ICT-Snapshot-decryption