The vendor said it’s not aware of any active exploitation of the vulnerabilities, which could allow remote attackers to achieve root access and execute code.

The global campaign marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. The similarities don’t end there.

Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, VulnCheck’s Caitlin Condon said.

Google researchers said Chinese attackers have been exploiting a zero-day since mid-2024, and they’ve moved on to a more advanced version of Brickstorm malware called Grimbolt.

Microsoft said three of the exploited vulnerabilities were publicly known, suggesting attackers already had details about the defects prior to Tuesday’s release.

Shadowserver scans have identified 86 compromised instances, and researchers warn multiple threat groups are involved.

Limited attacks occurred prior to Ivanti’s disclosure, followed by mass exploitation by multiple threat groups. More than 1,400 potentially vulnerable instances remain exposed.

Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage.

Researchers said the information disclosure zero-day exposes sensitive information that attackers can use to undermine defenses and make other exploits more reliable.

The company says it has no evidence the bug was exploited before October’s patch, but researchers say AI agent configuration can still enable prompt-injection style abuse.