Ivanti Connect Secure New Zero-Day Under Active Exploitation

Sunday, March 15, 2026 at 01:00 PM UTC·Source: Mandiant / Ivanti

Updated: Monday, March 16, 2026 at 10:00 AM UTC

Executive Summary

Another zero-day in Ivanti Connect Secure VPN appliances. Stack buffer overflow enables unauthenticated RCE. Third major Ivanti VPN zero-day in two years.

Analysis

CVE-2026-18321 is a stack buffer overflow in Ivanti Connect Secure allowing unauthenticated RCE via crafted IKEv2 packets. Mandiant has observed exploitation by suspected Chinese state-sponsored actors. This is the third major zero-day in Ivanti VPN products since January 2024. Ivanti released emergency patches and recommends factory reset before patching.

Timeline

Discovered

Mar 8, 2026

Exploitation Detected

Mar 8, 2026

Published

Mar 15, 2026

Patch Available

Mar 15, 2026

Indicators of Compromise (1)

CVE (1)

CVE-2026-18321

NVD MITRE CVE

Source Attribution

Originally published by Mandiant / Ivanti on Mar 15, 2026. Verified by: CISA, Mandiant, Ivanti.

Related Threats

CRITICALZero Day

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (

Apr 17, 2026The Hacker News

CRITICALZero Day

White House moves to give federal agencies access to Anthropic’s Claude Mythos

The US government is preparing to authorize a version of Anthropic’s Claude Mythos model for use by major US federal agencies, amid concerns that the AI model could rapidly spot cybersecurity vulnerabilities and offer the ability to exploit them. Federal Chief Information Officer Gregory Barbaccia at the White House Office of Management and Budget (OMB) told officials at Cabinet departments on Tue

Apr 17, 2026CSO Online

CRITICALZero DayPOC

Caught, Quarantined, Re-installed: RedSun turns Microsoft Defender on itself

Days after Microsoft patched a high-severity issue affecting its Windows Defender antivirus tool through April’s Patch Tuesday, researchers warn of another vulnerability that could enable SYSTEM privileges through local escalation. In a newly disclosed proof-of-concept (PoC) exploit, dubbed “RedSun,” GitHub user going by the name “Nightmare Eclipse” demonstrated how Microsoft Defender’s handling o

CVE-2026-33825

Apr 17, 2026CSO Online