Ivanti Connect Secure — CVE-2026-21805 Unauthenticated Command Injection

Ivanti Connect Secure — CVE-2026-21805 Unauthenticated Command Injection

Ivanti Connect Secure: CVSS 9.8 Zero-Day Under Active Exploitation

Confidence: High

A critical unauthenticated command injection vulnerability, tracked as CVE-2026-21805, has been identified in the web components of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) appliances. This flaw allows for persistent OS-level access and lateral movement within corporate networks. Current intelligence suggests that both state-sponsored and sophisticated criminal clusters are actively exploiting this zero-day to bypass perimeter security. Given the widespread use of Ivanti VPN solutions, organizations must prioritize immediate patching and system health verification using the Ivanti Integrity Checker (ICT) tool.

Android Kernel Zero-Day (CVE-2026-21010) Added to CISA KEV

Confidence: High

CISA has added a new Android kernel zero-day, tracked as CVE-2026-21010 (CVSS 8.4), to its Known Exploited Vulnerabilities catalogue. This vulnerability allows for local privilege escalation and is typically employed in multi-stage exploit chains for mobile surveillance. It particularly affects Pixel and Samsung flagship devices. While patches have been released, deployment lag across enterprise mobile fleets remains a significant risk. This discovery follows yesterday's "DarkSword" (iOS) threat, indicating a comprehensive and active exploitation of both major mobile ecosystems.

"The Gentlemen" Ransomware: Strategic Escalation into UK Fintech

Confidence: High

The ransomware group known as "The Gentlemen" (a Qilin splinter) has confirmed a disruptive attack on Xactly Fintech, a UK-based financial services provider. This represents a significant escalation and geographic expansion from the group's previous targeting of Czech national infrastructure, including the recent 1.2TB data leak from Economia. The targeting of UK financial services suggests a broadening of the group's operational objectives toward high-value financial disruption within the UK/EU region.

APT29 Targeting Managed Service Providers (MSPs) via Entra ID

Confidence: Medium

NCSC UK has issued a joint advisory warning that the threat actor APT29 is actively targeting Managed Service Providers (MSPs) in the UK/EU. The group is leveraging cloud-native TTPs, specifically the compromise of Entra ID (Azure AD) service accounts and OAuth applications, to bypass multi-factor authentication (MFA). This activity highlights a direct threat to the supply chain security of small and medium-sized businesses that rely on MSPs for their security operations.

Why This Matters

The emergence of the Ivanti zero-day creates a second front of critical infrastructure risk alongside the ongoing Quest KACE SMA exploitation. Simultaneously, the inclusion of a new Android kernel zero-day in the CISA KEV means that both iOS and Android users are now facing active, high-priority threats. The shift of "The Gentlemen" into the UK fintech market, combined with APT29's focus on MSPs, signals a coordinated increase in risk for the UK's financial and service ecosystems.

• Recommended Actions
• Patch Ivanti Connect Secure (CVE-2026-21805) immediately; run the Integrity Checker (ICT) to verify system health.
• Enforce Android updates to the March 2026 patch level across all managed devices to mitigate CVE-2026-21010.
• Audit Entra ID (Azure AD) service accounts and OAuth applications for anomalous permissions or authentication origins, per NCSC UK guidance.
• Meet April 3 CISA deadline for Quest KACE SMA (CVE-2025-32975) patching and continue Chrome zero-day remediation (deadline March 27).

All findings grounded in A13E intelligence sweeps through 04:30 UTC 24 March 2026.