CISA Urges Urgent Action: Federal Agencies Face VPN Vulnerability Threatened by Ransomware
TL;DR
- CISA has ordered U.S. federal civilian agencies to urgently address a critical Ivanti VPN vulnerability that is being actively exploited in the wild.
- Security researchers say the campaign has already affected at least 2,100 devices worldwide, and CISA warned that the flaws could enable a full network compromise if chained together.
- Ivanti has issued temporary mitigations and agencies are also required to run a compromise-check tool while cybersecurity teams track the fallout.
CISA Urges Urgent Action: Federal Agencies Face VPN Vulnerability Threatened by Ransomware
The Cybersecurity and Infrastructure Security Agency has issued an emergency directive telling federal civilian agencies to rapidly secure Ivanti Connect Secure and Policy Secure VPN products after discovering active exploitation of newly disclosed vulnerabilities. CISA said the flaws were being exploited “widespread and active[ly]” and warned that, when combined, they could lead to a full compromise of affected networks.
The directive is CISA’s first emergency order of the year, underscoring how seriously the agency views the risk to government networks.
Why the VPN flaw matters
VPN appliances sit at a sensitive point in enterprise security because they often provide remote access into internal systems. In this case, the vulnerabilities affect Ivanti’s Connect Secure and Policy Secure products, which were publicly disclosed on Jan. 10 and later linked to active attacks. CISA’s concern is not just that the bugs can be exploited, but that they may be chained together to bypass protections and gain broad access to networks.
A separate report identified a critical Ivanti Connect Secure flaw tracked as CVE-2025-22457 that could enable remote code execution, with researchers from Google Cloud-owned Mandiant reporting evidence of exploitation in the wild.
Scale of the campaign
According to cybersecurity firm Volexity, the campaign has affected at least 2,100 devices worldwide. CISA’s acting assistant director for cybersecurity said the agency knew of “15 agencies or so” using vulnerable devices, though those agencies reportedly mitigated the bugs quickly.
That combination of broad exposure and confirmed exploitation is what makes the incident especially urgent for federal agencies and, by extension, private-sector organizations using the same appliances.
What federal agencies have been told to do
CISA directed federal agencies to follow Ivanti’s mitigation steps immediately, including using the vendor’s temporary fix while a permanent patch is still pending in the emergency directive described by reporting on the incident. Agencies were also told to run an external Ivanti tool designed to check for signs of compromise.
In related guidance around similar Ivanti incidents, CISA has repeatedly required agencies to disconnect affected devices, hunt for threats on connected systems, and return devices to service only after rebuilding and resetting credentials where needed. That response pattern reflects the agency’s preference for containment first, remediation second, and restoration only after compromise checks are complete.
Check Point and the wider security response
Cybersecurity firms have been quick to assess the potential impact, with Check Point and other vendors warning that exploitation of internet-facing VPNs can create an immediate pathway into enterprise environments. While the provided reports focus more heavily on CISA, Mandiant, and Volexity, the broader security consensus is that these types of flaws are high-risk because they expose a trusted remote-access channel.
CISA’s own ransomware guidance repeatedly emphasizes patching known exploited vulnerabilities, enabling multifactor authentication, and segmenting networks to reduce lateral movement after an intrusion. Those recommendations are directly relevant here because VPN compromise can be used as an initial foothold for ransomware operators.
Ransomware angle and likely impact
The article framing points to a ransomware group exploiting the VPN weakness, and that fits CISA’s long-standing warning that known exploited vulnerabilities are a common entry point for ransomware activity. Once attackers gain access through a VPN appliance, they can move laterally, steal credentials, and deploy encryption malware across connected systems if defenses are weak.
That is why the incident is so consequential: a seemingly narrow edge-device flaw can translate into enterprise-wide disruption, including data theft, service outages, and costly remediation.
What organizations should do now
Organizations using affected Ivanti VPN products should treat this as an urgent containment event, not a routine patch cycle. Based on CISA guidance and the incident response steps highlighted in previous Ivanti directives, the priorities are to apply vendor mitigations, verify whether systems were compromised, rotate credentials and certificates where necessary, and isolate any device that cannot be confidently cleared.
For broader ransomware resilience, CISA recommends patching known exploited vulnerabilities quickly, enabling MFA for VPN and other critical services, and segmenting networks to limit blast radius if an attacker gets in.
The bigger lesson for federal and enterprise defenders
This latest directive is another reminder that VPN appliances remain a high-value target for sophisticated threat actors because they sit directly between the internet and internal systems. When those devices are vulnerable, organizations do not just risk a single server—they risk the confidentiality and integrity of the wider network.
For federal agencies, the message from CISA is clear: act immediately, verify compromise, and do not assume an edge device is safe simply because it is outside the main network perimeter.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!