Latest Rockwell Automation vulnerability

Rockwell Automation has disclosed a vulnerability in their GuardLogix and Compact GuardLogix products.

CVE-2025-24478 is rated high, with a CVSS score of 7.1. Successful exploitation of this vulnerability would allow attackers to create an unrecoverable denial-of-service condition, requiring power cycling of the device to restore function. This vulnerability is exploitable over the network and without authentication.

The following devices are affected by this vulnerability:

• GuardLogix 5580 (SIL 3 with the safety partner 3): Versions prior to V33.017, V34.014, V35.013, V36.011
• Compact GuardLogix 5380 SIL 3: Versions prior to V33.017, V34.014, V35.013, V36.011

Are updates or workarounds available?

Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially vulnerable systems:

hw:"Rockwell Automation%Logix%5_80"

October 2024: FactoryTalk ThinManager

Rockwell Automation has disclosed multiple vulnerabilities in their FactoryTalk ThinManager product.

CVE-2024-10386 is rated critical, with a CVSS v4 score of 9.3 and allows attackers with network access to send specially crafted packets that result in database manipulation.

CVE-2024-10387 is rated high, with CVSS v4 score of 8.7 and allows attackers with network access to send specially crafted packets to the device potentially triggering a denial-of-service.

The following versions are currently affected by these vulnerabilities:

• ThinManager: Versions 11.2.0 to 11.2.9
• ThinManager: Versions 12.0.0 to 12.0.7
• ThinManager: Versions 12.1.0 to 12.1.8
• ThinManager: Versions 13.0.0 to 13.0.5
• ThinManager: Versions 13.1.0 to 13.1.3
• ThinManager: Versions 13.2.0 to 13.2.2
• ThinManager: Version 14.0.0

Are updates or workarounds available?

Rockwell Automation has released patches for the affected product. Users are advised to update their systems as quickly as possible. In addition, users are advised to limit communications to TCP 2031 to only the devices that need connection to the ThinManager.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND tcp:2031

September 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-6077 is rated high, with a CVSS v4 score of 8.7.

Are updates or workarounds available?

Rockwell Automation has released patches and guidance for affected systems. Users are advised to upgrade as quickly as possible. Users may also disable CIP security on these devices to mitigate the issue.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

August 2024: ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix

Rockwell Automation has disclosed multiple vulnerabilities in their ControlLogix, GuardLogix, CompactLogix, and Compact GuardLogix products.

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

CVE-2024-40619 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed CIP packet which causes a device to crash and require a manual restart.

Are updates or workarounds available?

Rockwell Automation suggests updating devices to the corrected firmware revision.

• CVE-2024-7515 is rated high with CVSS score of 8.6 and indicates a denial-of-service scenario due to a malformed PTP management packet which causes a device to crash and require a manual restart.
• CVE-2024-7507 is rated medium with CVSS score of 7.5 and indicates a denial-of-service scenario due to a malformed PCCC packet which causes a device to crash and require a manual restart.

Rockwell Automation suggests updating devices to the corrected firmware revision. Additionally, they recommend restricting communication to CIP object 103 (0x67).

In all of the cases above users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:"Rockwell Automation" AND (hw:"1756-EN2" OR hw:"1756-EN2" OR hw:"1756-ENBT" OR hw:"1756-CN2/B" OR hw:"1756-CN2/A" OR hw:"1756-CNB/D," OR hw:"1756-CNB/E")

August 2024: ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules

On August 1st, 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules products.

CVE-2024-6242 is rated high with CVSS score of 7.3 and allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller.

Successful exploitation of these vulnerabilities on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.

Are updates or workarounds available?

Rockwell Automation recommends upgrade devices to apply fixes for the affected devices.

Additionally, limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"1756-EN2" OR hw:"1756-EN3" OR hw:"1756-EN4"

April 2024: ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR

In April 2024, Rockwell Automation disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.

CVE-2024-3493 was rated high with CVSS score of 8.6 and involved a specific malformed fragmented packet type which could cause a major nonrecoverable fault (MNRF) in Rockwell Automation’s ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product would become unavailable and require a manual restart to recover it.

What was the impact?

Successful exploitation of these vulnerabilities resulted in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Rockwell Automation provided software updates for the impacted versions.

How runZero users found potentially vulnerable systems

From the Asset Inventory, runZero users could use the following query to locate systems running potentially vulnerable software:

hw:"1756-EN4TR"

March 2024: Rockwell Automation PowerFlex 527

In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.

CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.

CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.

What was the impact?

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available?

Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.

Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How to find potentially vulnerable PowerFlex products

From the Asset Inventory, runZero users used the following query to locate systems running potentially vulnerable software:

hw.product:"powerflex"

Multiple vulnerabilities (February  2025)

Siemens disclosed multiple vulnerabilities in various product lines:

• SSA-111547 – cleartext storage of sensitive information in SIPROTEC 5 (CVSS score 5.1)
• SSA-195895 – user enumeration vulnerability in the web server of SIMATIC Products (CVSS score 6.9)
• SSA-224824 – denial of service vulnerabilities in SIMATIC S7-1200 CPU Family before V4.7 (CVSS score 8.7)
• SSA-246355 – multiple vulnerabilities in Tableau Server Component of Opcenter Intelligence before V2501 (CVSS score 10.0)
• SSA-342348 – insufficient session expiration vulnerability in Siemens SIMATIC PCS neo, TIA Administrator, and TIA Portal (CVSS score 8.7)
• SSA-687955 – accessible development shell via physical interface in SIPROTEC 5 (CVSS score 7.0)
• SSA-698820 – multiple vulnerabilities in FortiGate NGFW before V7.4.4 on RUGGEDCOM APE1808 devices (CVSS score 9.0)
• SSA-767615 – information disclosure via SNMP in SIPROTEC 5 devices (CVSS score 8.7)
• SSA-769027 – multiple vulnerabilities in SCALANCE W700 IEEE 802.11ax devices before V3.0.0 (CVSS score 8.6)
• SSA-770770 – multiple vulnerabilities in FortiGate NGFW before V7.4.5 on RUGGEDCOM APE1808 devices (CVSS score 7.5)

What is the impact?

Are updates or workarounds available?

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SIMATIC" OR hw:"RUGGEDCOM" OR hw:"SCALANCE"

Ten vulnerabilities disclosed in Siemens products (December 2024)

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

Multiple vulnerabilities (November 2024)

Siemens disclosed multiple vulnerabilities in various product lines:

• SSA-354112 – multiple vulnerabilities in SCALANCE M-800 Family devices (CVSS score 8.6)
• SSA-654798 – unauthenticated remote access to the filesystem in SIMATIC CP devices (CVSS score 8.7)
• SSA-454789 – deserialization of untrusted data in TeleControl Server (CVSS score 10.0)

What is the impact?

Are updates or workarounds available?

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SCALANCE S615" OR hw:"SIMATIC CP" OR (os:"Windows" AND tcp_port:26865)

35 vulnerabilities (September 2024)

• SSA-955858 – multiple vulnerabilities in LOGO! 8 BM devices (CVSS score 9.8)
• SSA-832273 – multiple vulnerabilities in RUGGEDOM devices (CVSS score 9.8)
• SSA-721642 – multiple vulnerabilities in SCALANCE devices (CVSS score 9.1)
• SSA-673996 – multiple vulnerabilities in SICAM and SITIPE devices (CVSS score 8.2)
• SSA-629254 – remote code execution vulnerability in SIMATIC SCADA and PCS 7 systems (CVSS score 9.1)
• SSA-455250 – multiple vulnerabilities in RUGGEDCOM devices (CVSS score 9.8)
• SSA-039007 – heap-based buffer overflow in the Siemens User Management Console component (CVSS score 9.8)

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

SCALANCE and RUGGEDCOM products (August 2024)

Siemens disclosed multiple vulnerabilities for a variety of products and devices, including the SCALANCE and RUGGEDCOM product lines.

• CVE-2024-41976 is rated high, with a CVSS score of 7.2, and allows an attacker to issue invalid VPN configuration data causing an authenticated attacker to execute arbitrary code.
• CVE-2024-41977 is rated high, with a CVSS score of 7.1, and allows an attacker to escalate their privileges due to devices not properly enforcing user session isolation.
• CVE-2024-41978 is rated high, with a CVSS score of 6.5, and allows an authenticated attacker to forge 2FA tokens of other users due to devices storing sensitive 2FA information in log files on disk.
• CVE-2024-44321 is rated medium, with a CVSS score of 2.7, and allows an attacker to issue large input data causing an unauthenticated denial-of-service.

The last vulnerability is on the lower score, but would still require the device be restarted if the denial-of-service condition was triggered.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"RUGGEDCOM" OR hw:"SCALANCE" OR hw:"LOGO"

CVE-2024-35292 – SIMATIC S7-200 SMART Devices (July 2024)

In July 2024, Siemens disclosed a vulnerability in their SIMATIC S7-200 SMART Devices.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:SIMATIC

SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024)

Several of the vulnerabilities had CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For the full list of vulnerabilities, you can consult Siemens ProductCERT.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate Siemens assets that were potentially vulnerable:

hardware:Siemens OR hardware:RuggedCom

In this article, we walk through common scenarios that attribution-based attack surface management tools miss and demonstrate how you can use runZero’s new Inside-Out Attack Surface Management (IOASM) capabilities to close these gaps. IOASM helps you defend against opportunistic attacks by leveraging precise device fingerprinting to uncover exposures that are impossible to find through attribution alone.

The attribution challenge

Attackers are continuously scanning and prodding internet-facing systems, looking for easy wins. Although many campaigns start by knocking on your front door — testing assets clearly associated with your domain and IP space — attackers are just as likely to stumble upon an exposed system, compromise it, and only later realize it belongs to you. Opportunistic attacks drive an entire sub-category of the cyber-crime economy: initial access brokers. These criminal groups gain a foothold into your organization and then sell that access to other groups that steal data and attempt to extort money.

External attack surface management (EASM) tools (including runZero!) can reduce your risk by quickly flagging exposures before they can be exploited. You provide these tools with a list of domain names, IP addresses, autonomous system numbers (ASNs), and other identifiers, and the EASM attribution process will iterate on these “seeds” to identify internet-exposed assets. This process works great for well-known organizational resources, but often misses exposures where attribution is impossible using IP addresses and domain names alone.

Flipping the script with Inside-Out Attack Surface Management

This is where Inside-Out Attack Surface Management (IOASM) changes the game. While attribution-based EASM tools often struggle to identify exposures beyond their predefined “seeds,” IOASM flips the script by leveraging detailed knowledge of your internal assets to quickly and accurately identify external exposures, no matter where they are.

Instead of starting with known IPs or domains, the runZero Platform builds device fingerprints from attributes it gathers through external and internal active and passive discovery, as well as integrations with systems like cloud provider APIs and vulnerability scanners. This fingerprinting process captures details such as TLS certificates, SSH host keys, and SNMP metadata, in addition to other system-specific attributes, which tend to remain consistent even when a device changes IP addresses, network segments, or is redeployed from an image. By beginning with an internal baseline of these fingerprints, runZero can pinpoint each device’s unique identity deep within the environment, and then correlate those same devices against information collected externally.

If an asset that was once detected in an isolated subnet suddenly appears on the internet — or if a device spins up in a public cloud and shares the same cryptographic fingerprint as one on-prem — runZero recognizes that it’s the same underlying system. This is why inside-out discovery is so effective: rather than relying on traditional attribution methods like IP ranges or domain registries, runZero focuses on inherent device characteristics.

Once a device’s fingerprint is known, any reappearance gets flagged — be it behind corporate firewalls or exposed on a public IP. This allows security teams to see connections and gaps that external-only scans would miss. Through this inside-out lens, organizations can uncover at-risk assets faster and more accurately, significantly reducing blind spots that attackers often exploit.

To demonstrate, the scenarios outlined below highlight why attribution-based external attack surface management tools struggle with certain types of exposures and how IOASM can help you find the blind spots.

Common scenarios missed by attribution-based EASM

1. The Legacy VPN

A global manufacturer migrated from per-site VPN gateways to zero-trust network access (ZTNA) using endpoint agents. After the migration was complete, the per-site VPN gateways were decommissioned. Unfortunately, the VPN gateway at a small branch office was never turned off. Months later, this gateway was compromised through a zero-day vulnerability in the SSL VPN function, allowing attackers to gain access to the corporate network. Worse, cached credentials dumped from the compromised gateway enabled further ingress into the network.

Why was this missed?

After migrating to ZTNA, the DNS records for the VPN gateways were removed. For small offices, the VPN gateways were connected through business broadband connections, and those IPs were not recorded in the organization’s inventory or part of their EASM configuration.

How did runZero help?

A comprehensive internal discovery scan identified the legacy VPN gateway, leveraging runZero’s advanced device fingerprinting to ensure no assets were overlooked. The runZero Platform’s ability to perform regular, automated scans ensures that similar devices are identified promptly, even if they are misconfigured or hidden in unexpected network segments. Once the gateway was flagged, an alert was configured to notify the security team if any similar devices appeared on the network in the future.

2. The Mobile Broadband Leak

A large financial organization issued laptops to their senior staff, each equipped with built-in mobile broadband cards (cellular modems). The intent was to ensure their team could stay connected even during transit, without relying on public WiFi. These Windows laptops were continuously connected to the mobile network and roamed between cellular providers, even while simultaneously connected to the corporate network through WiFi and wired Ethernet. Depending on which cellular provider was in use, these laptops would sometimes receive public IPv4 and IPv6 addresses, yet the firewall was not configured to block inbound connections. As a result, some portion of the senior staff’s laptops were directly exposed to the internet on semi-random IP addresses. This, in turn, exposed the Remote Desktop and the SMB (CIFS) services to internet attacks. Fortunately, one of these systems was identified in the public Shodan search portal based on the organization’s unique Active Directory domain, and the issue was resolved by deploying a group policy for Windows Firewall that always treated the mobile broadband connection as a public network.

Why was this missed?

Mobile broadband connections can vary dramatically by provider and location. Some providers place customers into private IP space, while others assign public IPs. In some cases private IPv4 addresses are assigned in addition to public IPv6 addresses. Attribution-based exposure management tools struggle to find these connections.

How did runZero help?

An internal scan identified the public IP addresses of these Windows laptops using a combination of unauthenticated NetBIOS (UDP) and DCEPRC (Oxid2Resolver), leveraging runZero’s advanced asset fingerprinting capabilities to detect and categorize devices accurately. The runZero Platform’s ability to conduct both internal and external scans ensured that no public IP addresses associated with these devices were overlooked, even as they roamed between cellular providers. A direct scan of these public IPs confirmed that the mobile broadband connections were exposing these machines directly to the internet, including the Remote Desktop and SMB services.

Additionally, runZero’s automated inventory and exposure tracking ensured that any newly exposed IP addresses were promptly identified. An alert rule was configured to notify the security team whenever a Windows machine on the internal network was detected with a public IP address, enabling real-time monitoring of at-risk devices. This proactive visibility not only mitigated the immediate risk but also provided actionable insights for implementing policies to prevent future exposures, such as refining firewall rules and deploying group policies for Windows Firewall.

3. The “Smart” IP Camera

A national construction firm needed to install a camera in the lobby of their headquarters. They chose an IP camera made by Hikvision, one of the most prolific manufacturers and a type of device that is commonly sold under different brand names. This camera was “smart”; it could detect people and faces and send an alert when particular behavior was observed, such as someone loitering in the lobby after hours. Unfortunately, this camera was too smart; the default configuration caused it to open a hole in the firewall using the UPnP protocol and automatically port-forward several services from the internet to the camera. These services included the video service (RTSP), the web server used for device administration, and a few proprietary Hikvision services.

Shortly after installation, the camera was compromised using an off-the-shelf exploit that enabled remote, unauthenticated command execution through the web service. The attacker gained complete access to the camera and leveraged the Linux operating system shell to explore the company’s internal network. The UPnP-enabled network gateway was an issue on its own, but the automatic port forwarding behavior of the camera escalated the situation into a full-blown crisis.

Why was it missed?

This is an example where EASM can help, but only if the issue was identified and mitigated quickly. EASM tools can be noisy, and investigating the results of new exposures can often take days or weeks to track down the appropriate owner.

How did runZero help?

An internal network scan combined with IOASM capabilities immediately flagged this system as being externally exposed and accurately matched the internal asset to its corresponding external exposure. runZero’s advanced fingerprinting techniques ensured that the match was precise, even for devices with dynamic configurations or those hidden behind network complexities. By leveraging a combination of passive and active discovery, the platform provided comprehensive visibility into both internal and external networks.

Once the exposure was identified, an alert rule was created to notify the security team of similar vulnerabilities in the future. Additionally, runZero’s integration capabilities allowed the organization to correlate this exposure with existing threat intelligence feeds, enabling the team to assess whether the exposed device had been targeted or exploited. This integration also streamlined remediation efforts by generating actionable insights, such as misconfiguration details and recommended mitigation steps.

4. The Developer Tunnel

A global retailer was developing a new version of their online storefront. This work was being coordinated across multiple groups worldwide, including several external contractors. A standard test environment was configured in the cloud, but deployments were taking too long. As a result, the development team began using “tunnel” software, such as Cloudflare Tunnel and ngrok.io, to share their work-in-progress from their developer machines with the wider group.

An attacker stumbled over one of these tunnels and identified a development console in the application that exposed all environment variables. These environment variables contained a wide range of credentials, including access keys to the production cloud account. Fortunately, rather than backdooring the application or stealing data, the attacker instead launched mining bots for cryptocurrency. The organization noticed the resulting cost spike, traced the leaked credential to the developer workstation, and implemented a policy prohibiting the use of tunnels going forward.

Why was it missed?

The internet-side of the tunnel can pop out almost anywhere, including common providers like Cloudflare and ngrok, as well as on virtual machines hosted by cloud providers like Digital Ocean and Linode. These endpoints have no known relationship to the organization’s domain or registered IP ranges, making them difficult to detect with attribution-based tools.

How did runZero help?

This is another example of how IOASM was able to match the internal fingerprint of the web server to an externally exposed service on a tunnel provider. By leveraging advanced fingerprinting, runZero ensured the match was precise, even for services hosted in dynamic or ephemeral environments like those created by tunnel software. This capability provided visibility into hidden or misconfigured exposures that traditional attribution-based methods would likely miss.

After identifying the exposure, an alert rule was configured to notify the security team of any similar issues in the future. Additionally, runZero’s ability to integrate with SIEMs and other security tools allowed the team to automate follow-up actions, such as blocking traffic to unapproved tunnel providers or initiating incident response workflows. The runZero Platform’s continuous monitoring ensures that new tunnels or services appearing in the environment are flagged immediately, reducing detection and response times.

Minimal noise and no real false positives

An important point to note is that IOASM uses detailed fingerprints and a set of layered heuristics to determine if a match between an internal and external asset represents an exposure. This process isn’t perfect, but even in cases where a match doesn’t indicate a true exposure, it still highlights a risk. For example, if the same TLS certificate is found on an internal storage device and also observed on the internet, it could either mean this is the same device or that the device is using a hardcoded TLS key. runZero’s heuristics automatically report duplicated and widely shared keys.

In addition to reporting shared keys, runZero also assigns varying severity levels based on the confidence of the match. For instance, if an internal web server is using a TLS certificate observed on the internet, and that certificate is signed by a valid authority, this is likely either the internal side of an internet-facing web server cluster or a case where the public TLS certificate is also used on internal systems. runZero will report this as a low-risk exposure. Conversely, if the match involves a Remote Desktop service or a SSH host key that is not widely shared, this is almost certainly a critical issue requiring immediate action, and the exposure is reported as high risk.

From theoretical to operational

While it’s easy for us to describe how runZero can detect these threats, it’s even better to show you how to do it in your own instance. The good news is that Inside-Out exposure detection is enabled by default for all runZero customers.

To get started, navigate to the Inventory -> Vulnerabilities section and search for the word “Exposure”. Any internal assets that runZero was able to identify externally, regardless of IP address or location, will be flagged with a vulnerability record based on the type of exposure.

The three exposure detection methods available today are:

• TLS Certificate
• SSH Hostkey
• MAC Address

Here’s an example of an exposure that was identified by matching a TLS public key:

Clicking on the name of the vulnerability will open the details page. This page also provides a list of the public endpoints where this internal system was observed:

Latest Ivanti gateway vulnerabilities

On January 8th, 2025, Ivanti disclosed vulnerabilities in their Ivanti Connect Secure, Ivanti Policy Secure, and Neurons for ZTA products. 

• CVE-2025-0282 – is rated critical with a CVSS score of 9.0. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to execute arbitrary code on the vulnerable system.
• CVE-2025-0283 – is rated high with a CVSS score of 7.0. Successful exploitation of this vulnerability would allow a local authenticated attacker to execute arbitrary code on the vulnerable system.

Note that the vendor has indicated that there is evidence that these vulnerabilities are being exploited in the wild.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code, potentially leading to complete system compromise.

Are updates or workarounds available?

Ivanti has released updates to address these vulnerabilities. Users are urged to update all systems as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

product:"Policy Secure" OR product:"Connect Secure"

December 2024 (Multiple CVEs)

On December 10th, 2024, Ivanti disclosed vulnerabilities in their Ivanti Connect Secure and Ivanti Policy Secure products.

• CVE-2024-11633 and CVE-2024-11634 are rated critical with CVSS scores of 9.1. Successful exploitation of these vulnerabilities would allow an authenticated attacker to execute arbitrary code on the affected system.
• CVE-2024-37401 and CVE-2024-37377 are rated high with a CVSS score of 7.5 and could allow a remote, unauthenticated attacker to create a denial-of-service condition on vulnerable systems.
• CVE-2024-9844 is rated high with a CVSS score of 7.1 and could allow a remote, authenticated attacker to bypass application restrictions.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code, read potentially sensitive resources, or create a denial-of-service (DoS) condition on affected devices.

Are updates or workarounds available?

Ivanti has released patches to address these vulnerabilities, and all users are urged to update as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

product:"Policy Secure" OR product:"Connect Secure"

April 2024 (Multiple CVEs)

On April 2, 2024, Ivanti disclosed multiple vulnerabilities in their Ivanti Connect Secure and Ivanti Policy Secure products.

• CVE-2024-21894 is rated high with CVSS score of 8.2 and allows an unauthenticated attacker to potentially execute arbitrary code on the affected system.
• CVE-2024-22052 is rated high with CVSS score of 7.5 and allows an unauthenticated attacker to create a denial-of-service (DoS) condition on affected systems.
• CVE-2024-22053 is rated high with a CVSS score of 8.2 would allow an unauthenticated attacker to read potentially sensitive memory contents.
• CVE-2024-22023 is rated medium with a CVSS score of 5.3 and would allow an unauthenticated attacker to create a denial-of-service (DoS) condition on affected systems.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code, read potentially sensitive memory, or create a denial-of-service (DoS) condition on affected devices.

Are updates or workarounds available?

Ivanti has released patches to address these vulnerabilities, and all users are urged to update as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

product:"Policy Secure" OR product:"Connect Secure"

Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.

February 2024 (CVE-2024-22024)

On February 8th, 2024, Ivanti disclosed a serious vulnerability, CVE-2024-22024, which allowed attackers to bypass authentication on the affected device to reach restricted resources. This vulnerability earned a CVSS score of 8.3 out of 10, indicating a high degree of severity.

The vendor reported that there were no indications that this vulnerability had been exploited in the wild.

What was the impact?

Upon successful exploitation of these vulnerabilities, attackers could access restricted resources on the vulnerable system without authentication. The vendor did not specify which resources were reachable without authentication, but did indicate that such resources were restricted.

Ivanti released an update to mitigate the issue (note that the provided link also discusses previous vulnerabilities in the same products). Users were urged to update as quickly as possible.

January 2024 vulnerabilities

On January 10th, 2024, Ivanti disclosed two serious vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure products.

The first issue, CVE-2023-46805, allowed attackers to bypass authentication controls to access restricted resources without authentication. This vulnerability earned a CVSS score of 8.2 out of 10, indicating a high degree of impact.

The second issue, CVE-2024-21887, allowed attackers to inject arbitrary commands to be executed on the affected device. Attackers had to be authenticated to exploit this vulnerability, but attackers might have been able to use the authentication bypass vulnerability above to achieve this. This vulnerability had a CVSS score of 9.1 out of 10, indicating a critical vulnerability.

The vendor reported that there were indications that these vulnerabilities had been exploited in the wild.

What was the impact?

Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary commands on the vulnerable system. This included the creation of new users, installation of additional modules or code, and, in general, system compromise.

Ivanti released an update to mitigate this issue. Users were urged to update as quickly as possible.

How to find potentially vulnerable products that expose a web interface

From the Services Inventory, use the following query to locate assets running the vulnerable products in your network that expose a web interface and which may need remediation or mitigation:

_asset.protocol:http AND protocol:http AND http.body:"welcome.cgi?p=logo"

China’s state-sponsored cyber operations—aptly nicknamed with “Typhoon” monikers—have been brewing trouble for over a decade. From Violet to Salt Typhoon, these advanced persistent threat (APT) groups have been wreaking havoc on government entities, critical infrastructure, and other high-value targets. Their evolution highlights one thing loud and clear: attackers are always one step ahead, looking for the weakest link. 

But fear not—there’s a way to outpace these storms. Let’s break down what these Typhoons have been up to and how runZero brings calm to the chaos with unparalleled visibility and proactive defense.

The Typhoon Timeline: An Evolution of Threats

The Typhoon story began with Violet Typhoon, which stuck to the basics: phishing, exploiting known vulnerabilities, and going after traditional IT systems. They were your typical “steal the sensitive data and run” kind of crew.

Then came Volt Typhoon, which shifted focus to U.S. critical infrastructure. They embraced “living off the land” techniques, cleverly blending into hybrid IT and OT environments while avoiding detection. Think of them as the first innovators of the Typhoons.

Not to be outdone, Flax Typhoon targeted IoT devices like cameras and DVRs, transforming these “unimportant” devices into powerful botnets. It was a wake-up call for organizations ignoring their IoT inventory.

And now, Salt Typhoon has arrived, skillfully exploiting IT, OT, and IoT systems with alarming precision. Their primary focus? Telecommunications providers and ISPs, where they leverage trusted devices and connections to steal customer call records, compromise private communications—particularly those of individuals involved in government or political activities—and access sensitive information tied to U.S. law enforcement requests under court orders.

Why Visibility is the Game-Changer

The Typhoon saga reveals one critical truth: attackers will find the blind spots in your network. Whether it’s a forgotten IoT device, an outdated VPN concentrator, or a misconfigured firewall, these gaps become open doors for adversaries.

That’s why visibility—complete visibility—is key to staying ahead. Enter runZero.

How runZero Helps You Outmaneuver Salt Typhoon

Salt Typhoon thrives on exploiting edge devices and blending into your network. But runZero makes their job infinitely harder. Here’s how we give you the upper hand:

• Proactive Edge Discovery: With real-time scanning and unmatched fingerprinting capabilities, runZero identifies every device—routers, firewalls, switches—before attackers can. Firmware versions? Check. Misconfigurations? Double-check.
• Mapping Internal Pathways: Once inside, attackers aim to move laterally. runZero lights up internal pathways, exposing high-risk devices and connections that could serve as stepping stones for adversaries.
• Correlating Internal and External Risks: Unlike siloed tools, runZero connects the dots between internal and external assets, revealing shared vulnerabilities and dependencies. That’s insight no other platform offers.
• Risk-Based Prioritization: runZero doesn’t just throw vulnerabilities at you. It ranks them by exploitability, exposure pathways, and criticality, so you can tackle the most pressing issues first.
• Continuous Monitoring: Networks change constantly, and so do risks. With runZero’s continuous discovery, you’ll always have an up-to-date picture of your attack surface.

Actionable Insights for Real-World Defense

Need proof of what runZero can do? Let’s take CISA’s latest guidance tailored to counter Salt Typhoon’s tactics and the queries you can use in the runZero platform to identify assets at risk.

Strengthening Visibility: Monitoring: Network Engineers

If feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and enforced network path, ideally only directly from dedicated administrative workstations. Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks.

# Service Query
(type:router OR type:switch OR type:firewall) AND (port:80 OR port:443) AND has_public:true

Monitor user and service account logins for anomalies that could indicate potential malicious activity. Validate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring internally and externally from the management environment.

# Users Query
alive:t AND (
  isDisabled:true
OR
  (source:googleworkspace suspended:t)
OR
  (source:googleworkspace isEnforcedIn2Sv:f)
OR
  (has:accountExpiresTS)
OR
  (isDisabled:true)
OR
  (passwordExpired:true OR msDS-UserPasswordExpiryTimeComputedTS:<now))

Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring. runZero can track and incorporate end-of-life data from a variety of sources.

# Asset Query
os_eol_expired:t

Monitoring: Network Engineers

Closely monitor all devices that accept external connections from outside the corporate network

# Asset Query
has_public:t

IPsec tunnel usage

# Service Query
protocol:ike

Hardening Systems & Devices: Protocols and Management Processes: Network Engineers

Additionally, as a general strategy, put devices with similar purposes in the same VLAN. For example, place all user workstations from a certain team in one VLAN, while putting another team with different functions in a separate VLAN. runZero’s innovative outlier score can help locate devices that don’t look like others in the same site.

# Asset Query
outlier:>=2

if using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and authentication is used

# Service Query
protocol:snmp1 or protocol:snmp2 or protocol:snmp2c

Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP).

# Service Query
protocol:cdp

Ensure Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network.

# Service Query
tls.supportedVersionNames:"SSL" OR tls.supportedVersionNames:"TLSv1.0" OR tls.supportedVersionNames:"TLSv1.1" OR tls.supportedVersionNames:"TLSv1.2"

Disable Secure Shell (SSH) version 1.

# Service Query
banner:"SSH-1"

Hardening Systems & Devices: Protocols and Management Processes: Network Defenders

Disable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c

# Service Query
protocol:telnet OR protocol:ftp OR protocol:tftp OR banner:"SSH-1" OR (protocol:http AND NOT protocol:tls) OR protocol:snmp1 OR protocol:snmp2 OR protocol:snmp2c

Conduct port-scanning and scanning of known internet-facing infrastructure

# Service Query
has_public:t

The Final Word

The Typhoon threat is real, but with runZero, you don’t have to weather the storm alone. Whether you’re facing state-sponsored attackers like Salt Typhoon or just trying to get a handle on your sprawling network, runZero does more than uncover what’s hiding in your network—we redefine what’s possible in exposure management. Our agentless, credential-free approach means you get instant insights without the hassle. And our advanced fingerprinting technology? It’s second to none, giving you detailed device profiles that competitors can only dream of.

But it’s not just about tech; it’s about speed and adaptability. As networks grow more complex and threats more advanced, runZero ensures you’re always one step ahead of these Typhoons no matter how their tactics evolve. From shadow IT to unmanaged IoT, we uncover everything—because the very things you didn’t know existed are exactly what these attackers are looking for.