CVE-2026-28401 is a pre-authentication remote code execution vulnerability in Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure. The vulnerability resides in the SAML processing component and allows an unauthenticated attacker to execute arbitrary code with root privileges on the VPN gateway appliance.
The flaw was discovered during active exploitation — Ivanti had zero days to prepare a patch before public disclosure. Three separate nation-state threat groups (tentatively attributed to China, Russia, and Iran) were observed exploiting this vulnerability in supply chain attack operations targeting technology vendors, defense contractors, and critical infrastructure providers within 72 hours of initial exploitation.
With over 36,000 publicly-exposed Ivanti Connect Secure instances identified by Shodan, this represents one of the highest-impact VPN vulnerabilities since CVE-2021-22986 (BIG-IP) and CVE-2023-46805/24017 (Ivanti's prior zero-day cluster).
The vulnerability is a two-stage exploit chain:
Stage 1 — SAML Signature Bypass: The SAML assertion processing logic in /dana-na/auth/saml-sso.cgi fails to properly validate XML Digital Signatures when the ds:SignatureValue element contains a specific malformed namespace prefix. The parser normalizes the namespace before signature verification, allowing an attacker to inject a forged SAML assertion that passes signature validation.
Stage 2 — Heap Overflow via Forged Assertion: The validated (forged) SAML assertion is passed to the session establishment handler which uses a fixed-size 4096-byte heap buffer for attribute processing. An assertion with 127+ attributes of 33+ bytes each overflows into adjacent heap metadata, enabling attacker-controlled code execution.
# Simplified PoC concept (NOT full exploit — for detection/research only)
# Stage 1: Forge SAML with namespace manipulation
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
Host: [target-ivanti-instance]
Content-Type: application/x-www-form-urlencoded
SAMLResponse=[base64(
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<!-- Namespace prefix manipulation causes sig bypass -->
<ds:SignatureValue>[ANY_VALUE]</ds:SignatureValue>
</ds:Signature>
<saml:AttributeStatement>
<!-- 127+ attributes x 33+ bytes triggers Stage 2 heap OOB -->
[REPEAT: <saml:Attribute Name="AAAAAA..."><saml:AttributeValue>...</saml:AttributeValue></saml:Attribute>]
</saml:AttributeStatement>
</samlp:Response>
)]| # | Stage | Action | Tool/Technique |
|---|---|---|---|
| 1 | Initial Access | Pre-auth SAML exploit → root shell on VPN gateway | CVE-2026-28401 exploit |
| 2 | Persistence | Deploy SPAWNANT/SPAWNMOLE web implants in /dana-na/ | Modified Ivanti plugin packages (.tgz) |
| 3 | Credential Harvest | Intercept all VPN authentication tokens, NTLM hashes, SAML assertions | In-memory credential sniffer |
| 4 | Lateral Movement | Use harvested creds to authenticate to internal corporate resources | Pass-the-Hash, Pass-the-Ticket |
| 5 | Supply Chain Pivot | Identify software vendor customers; access CI/CD pipelines via VPN | Internal network scanning |
| 6 | Code Injection | Insert malicious code into software builds targeting vendor customers | Git commit poisoning, build artifact tampering |
| 7 | Downstream Impact | Malicious software updates pushed to 1,200+ downstream customer orgs | Signed malicious packages |
| 8 | C2 | HTTPS C2 via compromised vendor update servers (LOLBin) | Cloudflare Workers C2 proxy |
| Product | Affected Versions | Fixed Version | Status |
|---|---|---|---|
| Ivanti Connect Secure | 22.7R2.5 and below | 22.7R2.6 (EMERGENCY PATCH) | PATCH NOW |
| Ivanti Connect Secure | 9.1Rx (Legacy) | EOL — REPLACE IMMEDIATELY | NO PATCH |
| Ivanti Policy Secure | 22.7R1.3 and below | 22.7R1.4 | PATCH NOW |
| Ivanti Neurons for ZTA | 22.7R2.3 and below | 22.7R2.4 | PATCH URGENTLY |
| Type | Indicator | Description | Cluster |
|---|---|---|---|
| IP | 185.220.101.47 | Initial exploit source | APT-CLUSTER-1 |
| IP | 45.142.212.100 | C2 server (SPAWNMOLE) | APT-CLUSTER-1 |
| IP | 194.165.16.77 | Payload delivery | APT-CLUSTER-2 |
| IP | 91.108.4.160 | Lateral movement C2 | APT-CLUSTER-3 |
| Domain | update-ivanti[.]com | Phishing/C2 domain | APT-CLUSTER-1 |
| Domain | ivanti-patch[.]net | Fake patch delivery | APT-CLUSTER-2 |
| File Hash (SHA256) | a4f2b8d...3e91 | SPAWNANT implant | ALL |
| File Hash (SHA256) | c8d44f1...7b22 | Credential harvester | APT-CLUSTER-1 |
| Path | /dana-na/auth/.spawnant | Web shell location | ALL |
| Path | /home/runtime/logs/oal.log | Modified log (evidence wiping) | ALL |
| User-Agent | Mozilla/5.0 (compatible; IvantiBot/2.0) | Exploit UA string | APT-CLUSTER-1 |
rule CVE_2026_28401_IvantiCS_SAML_Exploit {
meta:
description = "Detects CVE-2026-28401 Ivanti Connect Secure SAML exploit attempts and SPAWNANT implant"
author = "CyberDudeBivash CYBERDUDEBIVASH SENTINEL APEX"
date = "2026-04-22"
severity = "CRITICAL"
cve = "CVE-2026-28401"
cvss = "10.0"
reference = "https://blog.cyberdudebivash.in"
strings:
$saml_exploit_ns = "xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"" nocase
$saml_attr_flood = /(<saml:Attribute Name="[A-Za-z]{6,}">.{30,}<\/saml:Attribute>\s*){10,}/s
$spawnant_path = "/dana-na/auth/.spawnant" nocase
$spawnant_path2 = "/dana-na/auth/saml-sso.cgi" nocase
$credential_harvest = "SAML_SESSION_INTERCEPT" nocase
$c2_beacon = "IvantiBot/2.0" nocase
$log_wipe = "rm -rf /home/runtime/logs/oal.log" nocase
$exploit_ua = "Mozilla/5.0 (compatible; IvantiBot" nocase
condition:
($saml_exploit_ns and $saml_attr_flood) or
$spawnant_path or
$credential_harvest or
$c2_beacon or
$log_wipe
}// CVE-2026-28401 Ivanti Connect Secure Exploit Detection
let IvantiIPs = pack_array("185.220.101.47","45.142.212.100","194.165.16.77","91.108.4.160");
let IvantiDomains = pack_array("update-ivanti.com","ivanti-patch.net");
// Detect exploit attempt via SAML endpoint
W3CIISLog
| where csUriStem contains "/dana-na/auth/saml-sso.cgi"
and (csMethod == "POST")
and (csBytes > 50000 or scStatus in ("500","503"))
| project TimeGenerated, cIP, csUriStem, csBytes, scStatus, csUserAgent
| where csUserAgent contains "IvantiBot" or cIP in~ (IvantiIPs)
| summarize Attempts=count(), UniqueIPs=dcount(cIP) by bin(TimeGenerated, 5m)
| where Attempts > 3
union
// SPAWNANT web shell access
W3CIISLog
| where csUriStem contains ".spawnant" or csUriStem contains "dana-na/auth/."
| project TimeGenerated, cIP, csUriStem, csUserAgent
union
// C2 communications to known IOC IPs
CommonSecurityLog
| where DestinationIP in (IvantiIPs) or DestinationHostName has_any (IvantiDomains)
| project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, ApplicationProtocolindex=web OR index=network earliest=-24h
(uri_path="/dana-na/auth/saml-sso.cgi" AND (http_method="POST") AND bytes_in>50000)
OR (uri_path="*.spawnant*")
OR (useragent="*IvantiBot*")
OR (dest_ip IN ("185.220.101.47","45.142.212.100","194.165.16.77","91.108.4.160"))
| eval risk_score=case(
match(uri_path, "spawnant"), 100,
match(useragent, "IvantiBot"), 90,
bytes_in>100000, 80,
1=1, 50
)
| where risk_score >= 80
| stats count AS hits, sum(bytes_in) AS total_bytes, values(src_ip) AS sources by uri_path, dest_ip
| sort - risk_score| Priority | Action | Command / Detail |
|---|---|---|
| P0 IMMEDIATE | Patch to 22.7R2.6 or isolate | Download from my.ivanti.com/support — verify SHA256 hash before applying |
| P0 IMMEDIATE | Check for SPAWNANT implants | find /dana-na/auth/ -name ".*" -type f 2>/dev/null |
| P0 IMMEDIATE | Reset all VPN session tokens | Admin UI → Maintenance → Reset All Sessions; rotate all API keys |
| P1 24H | Rotate all credentials that traversed VPN | All AD passwords, service accounts, API tokens — assume compromised |
| P1 24H | Audit SAML configurations | Disable external IdP SAML until patched; use backup auth method |
| P1 24H | Factory reset if compromise confirmed | Ivanti recommends factory reset + redeploy from clean snapshot if implants found |
| P2 72H | Enable Ivanti Integrity Checker Tool | Run ICT against all appliances; compare against golden baseline |
| P2 72H | Network segmentation review | Ensure VPN gateways cannot initiate outbound connections to internet |
| P3 1W | Verify software build integrity | If vendor: audit all CI/CD pipelines touched via Ivanti VPN in last 30 days |
Access full IOC feeds, YARA rule bundles, SIEM detection packs, and real-time supply chain attack alerts with CYBERDUDEBIVASH SOC Pro.
Upgrade to SOC Pro — $18/mo → Enterprise Custom →