What starting position does this attack require?

The first step is Identify vulnerable Pulse Connect Secure (W-RECON-FINGERPRINT) — a reconnaissance primitive. Assumed environment: target uses Ivanti Connect Secure unpatched for the 2024 chain (CVE-2023-46805 + CVE-2024-21887).

What is the final impact of this kill-chain?

The final step lands on Exfil VPN configs (RADIUS, LDAP binds) (VPN-CONFIG-EXFIL), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Ivanti Pulse Connect Secure → pre-auth RCE → corporate VPN takeover

Two-stage chain (auth bypass + command injection) lands root on the Pulse appliance. Exfil VPN configs, pivot through the tunnel into the corporate network.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Reconnaissance

Identify vulnerable Pulse Connect Secure

W-RECON-FINGERPRINT · Tech Stack Fingerprinting

Lateral Movement

Pivot through VPN into corporate network

N-CHISEL · chisel / ligolo / sshuttle Tunnel

Initial Access

Command injection → root shell

VPN-IVANTI-PULSE · Ivanti Pulse / Connect Secure RCE

Initial Access

Auth bypass on /api/v1/...

VPN-IVANTI-PULSE · Ivanti Pulse / Connect Secure RCE

Persistence

Plant appliance implant for persistence

VPN-APPLIANCE-IMPLANT · VPN Appliance Implant

Collection

Exfil VPN configs (RADIUS, LDAP binds)

VPN-CONFIG-EXFIL · VPN Configuration Exfil

§ Context

Assumed environment: target uses Ivanti Connect Secure unpatched for the 2024 chain (CVE-2023-46805 + CVE-2024-21887). Appliance reachable from internet.

§ Steps

01
Identify vulnerable Pulse Connect SecureReconnaissance
W-RECON-FINGERPRINT— Tech Stack Fingerprinting
02
Pivot through VPN into corporate networkLateral Movement
N-CHISEL— chisel / ligolo / sshuttle Tunnel
03
Command injection → root shellInitial Access
VPN-IVANTI-PULSE— Ivanti Pulse / Connect Secure RCE
04
Auth bypass on /api/v1/...Initial Access
VPN-IVANTI-PULSE— Ivanti Pulse / Connect Secure RCE
05
Plant appliance implant for persistencePersistence
VPN-APPLIANCE-IMPLANT— VPN Appliance Implant
06
Exfil VPN configs (RADIUS, LDAP binds)Collection
VPN-CONFIG-EXFIL— VPN Configuration Exfil

§ Frequently asked

What is the "Ivanti Pulse Connect Secure → pre-auth RCE → corporate VPN takeover" attack path?: Two-stage chain (auth bypass + command injection) lands root on the Pulse appliance. Exfil VPN configs, pivot through the tunnel into the corporate network. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Identify vulnerable Pulse Connect Secure (W-RECON-FINGERPRINT) — a reconnaissance primitive. Assumed environment: target uses Ivanti Connect Secure unpatched for the 2024 chain (CVE-2023-46805 + CVE-2024-21887).
What is the final impact of this kill-chain?: The final step lands on Exfil VPN configs (RADIUS, LDAP binds) (VPN-CONFIG-EXFIL), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

§ Context

§ Steps

§ Frequently asked

§ Related dossiers

FortiGate SSL-VPN pre-auth RCE → config theft