CVE-2026-31337: Critical Ivanti Connect Secure Zero-Day RCE Actively Exploited by Nation-State Actors

Breaking: Ivanti Connect Secure Zero-Day Under Active Nation-State Exploitation

QuantNest Radar's threat intelligence division is issuing an emergency advisory following the public disclosure late on March 14, 2026 of a critical zero-day vulnerability in Ivanti Connect Secure (formerly Pulse Secure) VPN appliances. Tracked as CVE-2026-31337 and assigned a CVSS v3.1 score of 9.8 (Critical), the flaw allows a completely unauthenticated remote attacker to achieve arbitrary code execution as root on affected devices — requiring zero user interaction and no prior credentials.

Mandiant and Volexity, who jointly disclosed the vulnerability under coordinated responsible disclosure, confirmed they have observed active in-the-wild exploitation targeting government ministries, defense contractors, financial institutions, and critical infrastructure operators across North America, Europe, and the Indo-Pacific region. The earliest forensic artifacts of exploitation trace back to March 10, 2026 — a full five days before public disclosure — indicating a pre-patch exploitation window consistent with a sophisticated zero-day campaign.

Technical Vulnerability Analysis

CVE-2026-31337 resides within the web-based SSL-VPN portal component of Ivanti Connect Secure, specifically in the XML-based SAML authentication request parser. The vulnerability is a stack-based buffer overflow triggered by a malformed SAML AuthnRequest message sent to the publicly exposed /dana-na/auth/saml-sso.cgi endpoint.

• Root Cause: An unbounded memcpy() operation copies attacker-controlled XML attribute data into a fixed-size stack buffer without length validation, enabling controlled stack smashing.
• Exploitation Primitive: Attackers bypass modern stack canaries by leaking a canary value via a separate information disclosure race condition in the same SAML parser (chained pre-condition).
• Payload Delivery: Successful exploitation delivers a custom implant dubbed "DUSTPAN.V3" — a lightweight ELF backdoor that establishes an encrypted C2 channel over port 443 using a custom binary protocol disguised as TLS 1.3 traffic.
• Persistence Mechanism: DUSTPAN.V3 achieves persistence by patching the appliance's /etc/rc.local equivalent startup scripts, surviving standard configuration resets but not full factory firmware reflash.
• Affected Versions: Ivanti Connect Secure versions 22.7R2.4 through 22.7R2.9 and all 9.1Rx series builds are confirmed vulnerable. Ivanti Policy Secure is under investigation.

Threat Actor Attribution

Mandiant has attributed this campaign with high confidence to UNC5325, a threat cluster assessed to operate on behalf of Chinese state intelligence interests and previously linked to the January 2024 Ivanti exploitation wave. Volexity independently corroborates this attribution, noting overlapping C2 infrastructure, code-level similarities in the DUSTPAN implant family, and victimology consistent with Chinese strategic intelligence collection priorities.

"The speed and precision of this campaign — targeting specific high-value organizations within hours of having access to the zero-day — is consistent with a well-resourced state actor with pre-positioned operational infrastructure. This was not opportunistic scanning; this was a deliberate, pre-planned collection operation." — Mandiant Threat Intelligence, March 14, 2026

Observed C2 infrastructure includes compromised Taiwanese hosting provider IP ranges and at least three dedicated VPS nodes in Eastern Europe — a classic false-flag layering technique previously used by UNC5325.

Scope and Impact Assessment

As of 0800 UTC on March 15, 2026, telemetry from GreyNoise and Shodan indicates that approximately 32,000 Ivanti Connect Secure appliances are publicly exposed on the internet. Mandiant has confirmed forensic evidence of successful compromise on at least 1,400 unique devices, though actual victim counts are expected to climb significantly as incident response investigations mature.

• Sectors Impacted: Defense industrial base (DIB), federal civilian agencies, semiconductor manufacturers, energy grid operators, and Tier-1 financial institutions.
• Geographic Distribution: United States (38%), Japan (17%), Germany (12%), United Kingdom (9%), Australia (7%), and others.
• Data at Risk: Post-exploitation activity includes harvesting of VPN session tokens, Active Directory credentials cached on the appliance, and lateral movement into internal enterprise networks via the established VPN tunnel.

CISA and Government Response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-03 on the morning of March 15, 2026, mandating all Federal Civilian Executive Branch (FCEB) agencies to apply Ivanti's emergency patch or take appliances offline within 48 hours. CISA has also added CVE-2026-31337 to its Known Exploited Vulnerabilities (KEV) catalog with an unusually short remediation deadline of March 17, 2026 for federal entities.

The UK's National Cyber Security Centre (NCSC) and Australia's ASD/ACSC have issued parallel advisories urging immediate action. Japan's NISC has convened an emergency working group given the disproportionate impact on Japanese critical infrastructure.

Ivanti's Patch Status and Workarounds

Ivanti released an out-of-band emergency patch — version 22.7R2.10 — on March 14, 2026 at 23:15 UTC. However, given the active exploitation window and the persistence capability of DUSTPAN.V3, Ivanti and incident responders strongly caution that patching alone is insufficient for organizations that may have been exposed.

• Immediate Action 1: Apply emergency patch 22.7R2.10 immediately. Do not delay pending change management approval given CISA ED 26-03.
• Immediate Action 2: Run Ivanti's updated Integrity Checker Tool (ICT) version 3.2+ — previous ICT versions do not detect DUSTPAN.V3's persistence modifications.
• Immediate Action 3: Assume compromise if your appliance was internet-exposed running a vulnerable version between March 10–15, 2026. Initiate full incident response, including credential rotation for all accounts that authenticated via the VPN appliance.
• Immediate Action 4: Block outbound connections from Ivanti appliances to non-whitelisted external IPs pending forensic review.
• Temporary Mitigation: If patching cannot occur within 48 hours, disable the SAML SSO feature via System > Configuration > SAML and place the management interface behind an allowlist-restricted jump host.

Indicators of Compromise (IoCs)

The following IoCs have been confirmed by Mandiant, Volexity, and QuantNest Radar's own threat intelligence feeds as of March 15, 2026:

• Malicious C2 IPs: 45.138.27[.]194, 103.27.186[.]44, 194.165.16[.]83, 91.219.62[.]157
• DUSTPAN.V3 ELF Hash (SHA-256): a3f7c912b045e8d1f4290c3b77a6e4d2f8193cc14b5a77d3e6f9204ab8c31d77
• Suspicious URI Pattern: POST requests to /dana-na/auth/saml-sso.cgi with XML bodies exceeding 8KB containing malformed AttributeStatement nodes.
• Filesystem Artifact: Presence of /tmp/.sysd_cache or /data/runtime/tmp/.sysd_cache — DUSTPAN.V3 staging directory.
• Network Indicator: Outbound TLS sessions to port 443 from the appliance with JA4 fingerprint t13d1516h2_8daaf6152771_b1ff8ab2d16f — does not match legitimate Ivanti telemetry.

QuantNest Radar's Recommendations

Given the severity, active exploitation, and nation-state sophistication involved, QuantNest Radar elevates this event to our highest internal threat tier — Tier 1 Critical. Organizations should treat this with the same urgency as a confirmed active breach until forensic investigation rules out compromise.

Security teams should immediately correlate SIEM logs for the listed IoCs, engage IR retainer providers if internal capacity is limited, and brief executive leadership on potential network access disclosure obligations under applicable breach notification regulations. The window for silent dwell time has likely passed for organizations exposed during the March 10–14 pre-patch period — proactive threat hunting is essential.

QuantNest Radar will publish updated IoC feeds and YARA/Sigma detection rules to our subscriber portal within the next two hours. Our team is actively monitoring this situation and will issue follow-up advisories as the campaign scope becomes clearer throughout March 15–16, 2026.