products
industries
resource hub
company
Book a demo

Yotam Gutman

12.3.2026

The VPN breach Post-Mortem

The Ivanti saga proves the "Trusted Perimeter" model is dead. Read our post-mortem on the systemic failures of traditional VPNs and discover how Zeroport’s non-IP secured remote connection offers a safer alternative to VPNs

New investigative reporting from Bloomberg  has unveiled a systemic failure behind one of the most significant cyber-espionage campaigns of the decade. The reports detail how a "perfect storm" of high-interest debt, private equity restructuring, and aggressive cost-cutting at cybersecurity company Ivanti left a critical piece of national security infrastructure- the Pulse Connect Secure VPN, wide open to Chinese state-sponsored hackers.

What began as a series of technical zero-days is now being reframed as a story of corporate governance risk which led to a national security risk.

Merger starts a chain of events 

The chain of events began when private-equity firm Clearlake Capital acquired Pulse Secure and later merged it into Ivanti, creating a larger enterprise software company.

Following the acquisition, the company underwent cost-cutting and restructuring, including layoffs and reductions in engineering resources. According to reporting, internal teams responsible for security and product maintenance were affected, raising concerns among employees about the company’s ability to maintain the VPN product.

Pulse Secure’s VPN technology-  widely used by U.S. government agencies and large enterprises, became part of Ivanti’s product line, eventually rebranded as Ivanti Connect Secure.

While we can't read the minds of the MSS (China's intelligence agency), the reporting suggests a strong correlation. Investigative files imply that China’s intelligence services were aware of the organizational turbulence at Ivanti.

As Ivanti cut staff with deep product knowledge in 2022 to manage private equity debt, the "security posture" of the code aged rapidly. For an APT (Advanced Persistent Threat), a vendor in the middle of a messy merger or debt-driven restructuring is a "soft target"—it’s a window where security audits are often delayed and the people who know where the "skeletons" are hidden in the code have been laid off.

The Timeline: A Multi-Year Decay

  • 2017–2021: The Debt-Driven Restructuring
    Clearlake Capital acquires Ivanti. To manage debt, the company implements rounds of layoffs hitting engineering and security teams.
  • February 2021: The Silent Infiltration
    Chinese hackers breach Pulse Secure’s internal network, allegedly planting backdoors impacting 119 downstream organizations.
  • Late 2023: The Exploit Chain Goes "Hot"
    Mass exploitation of the Auth Bypass/Command Injection chain begins.
  • January–February 2024: The CISA Crisis
    CISA issues a 48-hour "disconnect" order after being breached themselves via their own Ivanti appliance.
  • 2025–2026: The "Ghost" Access Era
    Discovery of CVE-2025-22457 and EPMM flaws proves that hackers are still successfully targeting the platform two years later.

The Anatomy of the Exploit: A Chained Attack

The 2024–2026 crisis centers on a "chain" of vulnerabilities that turn a secure gateway into an open door. By themselves, these bugs are serious; together, they are a total system compromise.

  • The Chain (CVE-2023-46805 & CVE-2024-21887): Attackers first use a path traversal flaw to bypass authentication (the lock). Once "inside," they exploit a command injection flaw in the web components to execute arbitrary code (the keys to the house).
  • The 2025/2026 Pivot: Newer flaws like CVE-2025-22457 show that attackers are now "patch-diffing"—studying Ivanti’s fixes to find subtle ways to exploit unpatched or End-of-Life (EoL) Pulse 9.x systems.
  • Persistence is Key: Unlike a simple virus, these exploits target the underlying Linux OS of the appliance, allowing hackers to install "webshells" (like GIFTEDVISITOR or BUSHWALK) that survive reboots and even some factory resets.

The fallout- attackers are still lurking 

The primary actor behind these breaches is UNC5221 (also tracked as UTA0178), a China-nexus espionage group. Their campaigns have been surgically precise. They specifically pursued U.S. defense contractors, government agencies, and telecommunications providers. To stay hidden, they use "passive backdoors" that don't "call home" but instead wait for a specific trigger hidden in normal-looking web traffic. In most likelihood, they are still exploiting VPN vulnerabilities and 0-days. 

The Ivanti saga has proven that when a vendor prioritizes debt servicing over security headcount, the customers pay the price. It has effectively killed the "Trusted Perimeter" model.

The alterntive to VPN- Zeroport non-IP secured remote connection

Zeroport has developed a secure connectivity solution that allows remote access to an organization in a safe way- enabling all necessary operations without exposing the organization to the internet, allowing malware infiltration or data exfiltration.
This solution allows organizations of all sizes to provide secure and convenient remote access for employees, contractors, and suppliers, saving time and money without compromising security. Contact us today to learn more about our technology 

Secure Access
at Every Level

Empower global teams with secure, hardware-enforced remote access, no VPNs, no data exposure, no risk.

More info

Zeroport enables secure remote access with hardware-enforced protection.

Terms and conditions
Privacy Policy

Copyright@2026 Zeroport.

Brand & Website Design and Development by Lum_Lab