Ivanti VPN backdoor campaign reaches 119 organisations

In early 2024, the US cybersecurity agency CISA told federal agencies to disconnect Ivanti VPN appliances within two days, citing active exploitation of vulnerabilities that were still unknown to the vendor. Now Bloomberg reporting, summarized by TechCrunch, adds an earlier and broader episode: a backdoor planted in Pulse Secure VPN software—later owned by Ivanti—was used to reach 119 additional organisations, including European and US military contractors, according to people familiar with the incident.

The details matter because VPN “appliances” sit at the edge of corporate networks with privileged access by design. They are sold as a simplification—one box, one vendor, one support contract—but that same standardisation turns compromise into a scalable event. An attacker who finds a reliable path through a widely deployed gateway does not need to breach a thousand companies; they can breach one product line and let it multiply. The logic is the same as with email servers or identity providers, but VPN gateways are often less visible internally: they are treated as plumbing, maintained by a small team, and updated only when someone is brave enough to schedule downtime.

Bloomberg’s account, as relayed by TechCrunch, also ties the security failures to ownership and staffing. After Clearlake Capital acquired Ivanti in 2017, rounds of cost-cutting—particularly in 2022—reportedly removed employees with deep knowledge of the products and their security. That is a familiar pattern in enterprise software: revenue comes from renewals and add-ons, while the cost line most easily reduced is the unglamorous work of code maintenance, secure development processes, and long regression testing.

The downstream effects show up in patch chains and verification. When a VPN vendor ships a fix, customers still need to test it against their own authentication setups, split-tunnel policies, endpoint agents, and legacy applications. That delay is not just operational friction; it is time attackers can buy in bulk. Meanwhile, defenders are asked to trust that the appliance is doing what it says it does—yet the very point of the product is that it sits in a place where independent monitoring is hard.

Ivanti is not alone. TechCrunch notes similar scrutiny of Citrix after large layoffs following a 2022 buyout by Elliott Investment Management and Vista Equity Partners. The market for perimeter access tools has become a contest in selling “secure remote work” as a managed product, while the cost of a breach—incident response, downtime, reputational damage—lands primarily on the customer.

CISA’s 48-hour disconnect order was a blunt instrument, but it reflected an equally blunt reality: when the perimeter is outsourced, the failure mode is shared. In that 2024 episode, the fastest mitigation was not a patch—it was pulling the plug.