Ivanti VPN Flaw Exploited to Inject Novel Backdoor; Hundreds Pwned

A SAML vulnerability in Ivanti appliances has led to persistent remote access and full control for opportunistic cyberattackers.

Threat actors continue to hammer the five security vulnerabilities that have have been
recently disclosed in Ivanti VPN appliances.
This week, researchers said attackers are injecting a never-before-seen backdoor for persistent remote access within target networks — so far compromising 670+ IT infrastructures in a mass-exploitation campaign.
Ivanti disclosed the vulnerability (a server-side request forgery vulnerability in the SAML component tracked as CVE-2024-21893) on Jan. 31, along with an
additional new bug and fixes
for two previously disclosed flaws. On Feb. 3, researchers at Orange Cyberdefense spotted a compromised Ivanti appliance infected with a novel backdoor, called DSLog after a legitimate logging module within the device.
This appliance had the initial XML mitigation (API endpoints blocked) in place but not yet the second mitigation (or patch), Cyberdefenses new advisory explained. Upon closer examination, the backdoor turned out to be interesting because its controlled with a basic API key mechanism, the report explained. Also, its different from previous webshells used in campaigns targeting the Ivanti bugs: 1), because the webshell does not return a status message after contact, so there is no known way to detect it directly; and 2), DSLog uses a unique hash per appliance. This hash cannot be used to contact the same backdoor implemented in another device, the firm explained.
Cyberdefense cautioned in its report that the Ivanti Integrity Checker Tool isnt a completely accurate method of compromise detection, but it remains a useful tool.
If cyber teams can check these boxes, their systems are probably in the clear, according to the report:
your appliance was mitigated early on (around January 11th onward)
no historical ICT nor external ICT scans showed signs of compromise,
and no other suspicious behavior, i.e. in IOCs, logs, or alerts from security solutions was found in the rest of the infrastructure.
If these are true, then the device is probably free from compromise, the researchers added.
This is not the first instance of threat actors, including
China-backed state cyberattackers, dropping pioneering malware
on unprotected Ivanti systems. The
Cyberdefense report
advised that any compromised Ivanti device or potential target of Chinese threat actors should conduct a factory reset with full patching. There are some Ivanti appliance versions without an available patch, the Cyberdefense team added, in which case cyber teams are advised to apply the XML mitigation as a stopgap and continue to check back for a more permanent patch.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ivanti VPN Flaw Exploited to Inject Novel Backdoor; Hundreds Pwned