Between January 21st and 28th, GreyNoise sensors observed reconnaissance activity against Ivanti Connect Secure jump roughly 100x above historical baselines (nope! not a typo!! 100x!!!).
What made this spike interesting wasn’t just the volume—it was the structure. We’re tracking two distinct campaigns running in parallel, each with different infrastructure, pacing, and apparent objectives.
During this time, GreyNoise tracked two distinct campaigns targeting Ivanti Connect Secure’s /dana-na/auth/url_default/welcome.cgi endpoint. The campaigns share a target—CVE-2025-0282 (EPSS: 93.05%)—but diverge in infrastructure, tactics, and likely operators.
Let’s look at what the infrastructure tells us.
Campaign 1: The AS213790 Cluster
The higher-volume campaign concentrated in AS213790, operated by Limited Network LTD. This provider has appeared in previous reconnaissance campaigns—familiar territory for threat hunters.
The geographic footprint is clustered in Romania and Moldova. Over the observation window, this campaign generated:
- 34,172 total sessions
- Peak rate of 1,310 requests/hour
- Aggressive burst patterns
The infrastructure choice suggests operators are comfortable with “noisy” providers that tolerate scanning traffic. The burst pattern indicates automated tooling running hot—someone’s racing to enumerate targets before patches deploy.
(Side note: AS213790 showing up again is the network equivalent of that one neighbor’s car alarm. At some point, you stop being surprised.)
Campaign 2: The Distributed Approach
The second campaign took the opposite approach. Roughly 6,000 unique IPs participated, spread across multiple ASNs and geographies. No single provider dominated the traffic.
This distribution pattern is consistent with:
- Botnet infrastructure – compromised hosts providing scanning capacity
- Residential proxy networks – purchased access to legitimate-appearing IPs
- Multi-cloud deployment – spinning up instances across providers to avoid concentration
The pacing stayed lower and steadier than Campaign 1. This isn’t operators who want speed—it’s operators who want to avoid detection.
Comparing the Campaigns
| Attribute | Campaign 1 | Campaign 2 |
|---|---|---|
| Infrastructure | Concentrated (AS213790) | Distributed |
| Geography | Romania/Moldova | Global |
| Volume | 34,172 sessions | ~6,000 IPs |
| Peak Rate | 1,310/hour | Lower, sustained |
| Strategy | Aggressive enumeration | Methodical reconnaissance |
| Detection Risk | Higher | Lower |
Are these the same actor with different tooling, or competing groups targeting the same vulnerability? Both scenarios are plausible. The timing overlap—both campaigns active across the same week—could indicate coordination or simply shared awareness of a high-value target.
The Target: CVE-2025-0282
The campaigns converge on /dana-na/auth/url_default/welcome.cgi, the pre-exploitation version-check endpoint associated with CVE-2025-0282. With an EPSS score of 93.05%, this vulnerability ranks near the top of exploitability rankings. CVE-2025-0283 (EPSS: 0.18%) affects the same product but hasn’t generated the same level of interest.
The EPSS differential makes sense. Attackers prioritize vulnerabilities with proven exploitation paths. A 93% score signals that weaponization is either available or imminent.
Defender Takeaways
The infrastructure analysis reinforces what the volume already suggested: this is serious reconnaissance activity, not background noise.
- Patch status matters now. CVE-2025-0282 exploitation is a matter of when, not if.
- Log review should include the target path. External requests to
/dana-na/auth/url_default/welcome.cgideserve scrutiny. - Network exposure deserves reassessment. Every internet-facing Ivanti instance is potentially on a target list.
Ongoing Monitoring
We’re continuing to track both campaigns. As infrastructure patterns stabilize, we’ll publish IOCs for defenders to operationalize.
If you’re seeing hits against this endpoint in your environment, drop us a line. Collective visibility makes everyone’s picture clearer.