State-Sponsored Hackers Exploit Ivanti Zero-Days to Breach High-Value Networks

PARIS, France – July 3, 2025 – France's national cybersecurity agency, ANSSI, has released a detailed report today confirming that a sophisticated, state-sponsored hacking group tracked as "Houken" has been actively exploiting multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices. The campaign has successfully breached a wide array of sensitive targets, including government, telecommunications, and financial sector organizations.

The threat actor, believed to have links to China, is leveraging the network gateway vulnerabilities to gain initial access, establish persistence, and deploy a variety of malware, including web shells and advanced rootkits. Security analysts note that the attackers' primary method involves chaining several unpatched Ivanti vulnerabilities to achieve unauthenticated remote code execution on the targeted network appliances.

This campaign highlights a growing trend of nation-state actors targeting edge networking devices and VPNs as a primary vector for espionage and data exfiltration. Once inside a network, the group has been observed performing lateral movement and reconnaissance. ANSSI is urging all organizations using the affected Ivanti products to apply the latest security patches immediately, hunt for indicators of compromise (IOCs), and assume that credentials stored on these devices may be compromised.