SANS Stormcast: Exploits Target Ivanti, Fortinet, and VMware Flaws

Executive Summary

Active exploitation campaigns are targeting multiple high-severity vulnerabilities in widely deployed enterprise software from Ivanti, Fortinet, and VMware, according to the SANS Internet Storm Center's daily threat briefing for April 13, 2026. The most critical activity involves threat actors chaining two Ivanti Connect Secure vulnerabilities, CVE-2024-21893 and CVE-2024-22024, to achieve unauthenticated remote code execution. Concurrently, a separate phishing campaign is distributing malicious OneNote attachments to deploy remote access trojans (RATs). Organizations using affected products are urged to apply available patches and security updates immediately.

Technical Analysis

The SANS report details exploitation targeting several specific Common Vulnerabilities and Exposures (CVEs). For Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways, attackers are combining a heap overflow vulnerability (CVE-2024-21893) with a privilege escalation flaw (CVE-2024-22024). This chain allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system of the appliance. Ivanti has released security updates to address these issues.

For VMware products, the report notes exploitation of CVE-2023-34048, an out-of-bounds write vulnerability in vCenter Server's implementation of the DCERPC protocol. Successful exploitation can lead to remote code execution. VMware has released patches for affected versions.

In the Atlassian Confluence space, exploitation of CVE-2023-22515 is ongoing. This critical broken access control vulnerability allows an unauthenticated attacker to reset Confluence and create a new administrator account, leading to full system compromise.

Finally, the report mentions continued scanning and potential exploitation attempts for two Fortinet vulnerabilities: CVE-2023-4966, a critical information disclosure flaw in Fortinet FortiGate SSL-VPN, and CVE-2023-46805, an authentication bypass in the same product. These can be chained for unauthorized access to the VPN.

Tactics, Techniques & Procedures

The threat actors are employing a mix of direct vulnerability exploitation and social engineering. The primary TTP for the software exploits involves scanning for and weaponizing known, patched vulnerabilities in perimeter devices and enterprise applications. This follows a common pattern of targeting security and management tools that provide a foothold into enterprise networks.

The phishing campaign utilizes a distinct TTP: distributing emails with malicious OneNote (.one) attachments. When opened, these files display a deceptive image prompting the user to "Double click to view," which executes embedded malicious scripts to download and execute a RAT payload. This technique bypasses macro security controls commonly associated with Microsoft Office documents.

Threat Actor Context

The SANS report does not attribute these exploitation activities to specific threat actor groups or nations. The widespread availability of proof-of-concept exploit code and technical details for these vulnerabilities suggests they are being leveraged by a broad range of actors, including cybercriminal groups and state-sponsored entities. The goal is likely initial access for subsequent operations such as ransomware deployment, data theft, or espionage.

Mitigations & Recommendations

The paramount mitigation is immediate patching. Organizations must apply vendor-provided security updates for all affected products without delay. Specific actions include:

1. Ivanti: Apply the latest security updates for Connect Secure and Policy Secure gateways. Ivanti has also provided a mitigation for CVE-2024-22024 involving the deletion of a specific XML file (reputation.xml).
2. VMware: Apply the patches listed in VMware Security Advisory VMSA-2023-0023 for vCenter Server.
3. Atlassian: Upgrade Confluence Data Center and Server to a fixed version as outlined in Atlassian's advisory.
4. Fortinet: Patch all FortiGate appliances to versions that address CVE-2023-4966 and CVE-2023-46805.
5. Phishing Defense: Implement application control policies to block execution of scripts (e.g., PowerShell, HTA) from user-writable directories, including temporary folders used by OneNote. User awareness training should highlight the risks of opening unsolicited OneNote attachments.
6. General: Ensure robust network segmentation to limit the lateral movement potential of a compromised appliance. Closely monitor network traffic from these critical systems to external destinations.