Safeguard
Vulnerability Analysis

CVE analysis: nation-state supply chain attacks on defens...

CVE analysis of nation-state supply chain attacks on defense contractors: SolarWinds SUNBURST and Ivanti Connect Secure exploitation, CVSS, KEV, and fixes.

Vikram Iyer
Security Researcher
8 min read

Every major nation-state supply chain attack on defense contractors shares the same root cause: a trusted update, library, or remote-access appliance became the delivery mechanism for espionage. This is not a hypothetical risk. It is the pattern behind two of the most consequential intrusion campaigns of the last five years — the SolarWinds Orion/SUNBURST compromise attributed to Russia's SVR, and the 2023-2024 exploitation of Ivanti Connect Secure by a China-nexus actor CISA and Mandiant track as UNC5221/UTA0178. Both campaigns reached deep into the U.S. defense industrial base (DIB), and both map to specific, well-documented CVEs with confirmed CISA Known Exploited Vulnerabilities (KEV) status. This post walks through the vulnerability details, the exploitation timeline, and what defense contractors and their suppliers should be doing differently.

Affected Versions and Components

SolarWinds Orion Platform. The SUNBURST backdoor was injected into the build pipeline for SolarWinds Orion, a widely deployed IT infrastructure monitoring suite. Trojanized DLLs shipped inside Orion Platform versions 2019.4 through 2020.2.1 HF1, distributed as legitimate, digitally signed software updates between March and June 2020. Separately, SolarWinds disclosed CVE-2020-10148, an authentication bypass in the Orion API that allowed a remote, unauthenticated attacker to execute API commands — a vulnerability uncovered during the post-breach investigation and patched alongside the SUNBURST remediation. Because Orion is used to monitor network devices, servers, and databases, the trojanized agent had privileged visibility and reach across victim environments, including systems inside defense contractor networks.

Ivanti Connect Secure and Policy Secure. Roughly three years later, a different actor targeted a different class of trusted infrastructure: edge VPN appliances. CVE-2023-46805 is an authentication bypass in the web component of Ivanti Connect Secure (formerly Pulse Connect Secure) and Ivanti Policy Secure gateways. CVE-2024-21887 is a command injection vulnerability in the same web components. Chained together, an unauthenticated attacker could bypass login controls and execute arbitrary commands with root-level access on the appliance — no valid credentials required. Ivanti disclosed both on January 10, 2024, and subsequent advisories added related flaws (CVE-2024-21888, CVE-2024-21893, CVE-2024-22024) affecting the same product lines as the investigation expanded.

CVSS, EPSS, and KEV Context

CVE-2020-10148 carries a CVSS v3.1 base score of 9.8 (Critical) — unauthenticated, network-exploitable, with high impact to confidentiality, integrity, and availability. It has been listed in CISA's KEV catalog since the catalog's initial publication in November 2021, reflecting confirmed in-the-wild exploitation.

The Ivanti pair is similarly severe: CVE-2023-46805 scores 8.2 (High) and CVE-2024-21887 scores 9.1 (Critical), but the real danger is the chain — combined, they deliver unauthenticated remote code execution. CISA added both to the KEV catalog within days of disclosure and, in an unusual step, issued Emergency Directive 24-01 ordering federal civilian agencies to disconnect affected appliances from their networks entirely, not just patch them, because threat actors had already demonstrated the ability to survive factory resets and forge integrity-checker results. EPSS scoring for both Ivanti CVEs sits near the top of the probability distribution, consistent with the sustained, automated exploitation activity observed after public disclosure — exactly the signal EPSS is designed to surface for prioritization.

Timeline

  • September 2019: Attackers later attributed to APT29 (Cozy Bear/Nobelium) gain a foothold in SolarWinds' build environment.
  • February 2020: The SUNBURST backdoor is compiled into the Orion Platform source and inserted into the software build process.
  • March–June 2020: Trojanized Orion updates are distributed to roughly 18,000 customers, including multiple U.S. federal agencies and defense contractors.
  • December 8, 2020: FireEye (Mandiant) discloses its own breach and traces the intrusion vector to Orion.
  • December 13, 2020: SUNBURST is publicly disclosed; CISA issues Emergency Directive 21-01 directing agencies to disconnect or patch affected Orion instances.
  • December 2023: Volexity and Mandiant separately observe active, pre-disclosure exploitation of unknown Ivanti Connect Secure flaws against multiple organizations.
  • January 10, 2024: Ivanti publicly discloses CVE-2023-46805 and CVE-2024-21887 and issues initial mitigation guidance ahead of patches.
  • January–February 2024: CISA adds both CVEs to KEV, issues Emergency Directive 24-01, and, with Mandiant, publishes advisory AA24-060A documenting exploitation of the vulnerability chain against defense industrial base, government, and critical infrastructure targets by the actor tracked as UNC5221.

Why Nation-State Supply Chain Attacks on Defense Contractors Keep Working

Both campaigns succeeded for the same structural reason: defense contractors extend implicit trust to vendor-signed software and network appliances that sit outside the scope of normal application security review. A monitoring agent or a VPN gateway is rarely treated as an attack surface with the same rigor as internally developed code, even though it often has broader network privileges. This is precisely the gap that APT software supply chain compromise techniques are built to exploit — the malicious code (or the appliance running it) arrives through a channel the organization already trusts and has agreed to auto-update.

The defense industrial base is a particularly attractive target set for this technique. A single compromised managed service provider, network monitoring vendor, or remote-access appliance vendor can provide simultaneous access to dozens of downstream defense contractors, subcontractors, and the government program offices they serve — which is exactly what happened in the SolarWinds case and is the pattern CISA's defense industrial base breach analysis work continues to track in subsequent campaigns. Attackers increasingly also profile the software bill of materials of target organizations before choosing an entry point, looking for a widely deployed dependency or appliance with disproportionate reach. A state-sponsored SBOM exploit doesn't need a zero-day in the defense contractor's own code; it needs one weak link somewhere in the dependency graph the contractor doesn't have full visibility into.

Remediation Steps

For organizations still running affected or historically affected software, or assessing exposure to these campaigns:

  1. Patch immediately and verify version state. SolarWinds Orion instances should be on 2020.2.1 HF2 or later (the clean, patched release); any environment still on 2019.4–2020.2.1 HF1 should be treated as compromised until forensically cleared, not just patched in place. Ivanti Connect Secure and Policy Secure appliances should be fully updated per Ivanti's published advisories, and organizations should follow CISA's guidance to factory-reset appliances before applying patches, since attackers demonstrated persistence techniques that survive naive remediation.
  2. Assume compromise, don't just assume patchability. For both campaigns, patching alone was insufficient — CISA explicitly warned that threat actors had planted persistence mechanisms and forged integrity-check output on Ivanti devices. Rebuild or reimage affected appliances from a known-good state and rotate all credentials and certificates that touched the compromised device or software.
  3. Inventory your software and appliance supply chain. Maintain an accurate, current SBOM for internally built software and demand SBOMs or equivalent transparency from critical vendors — especially monitoring tools, remote-access gateways, and anything with broad network privilege.
  4. Monitor egress and lateral movement, not just endpoints. Both SUNBURST and the Ivanti exploitation chain relied on outbound C2 traffic and lateral movement that stood out from baseline behavior once analysts knew what to look for. Network detection and anomaly baselining catch what signature-based tools miss during the dwell-time window before disclosure.
  5. Track KEV and CISA directives as a floor, not a ceiling. Federal defense contractors are contractually and often regulatorily obligated to act on CISA Emergency Directives, but the same urgency should apply regardless of contract status — KEV listing is a strong signal of confirmed active exploitation, and EPSS scores should feed directly into patch prioritization rather than sitting in a separate report nobody reads.

How Safeguard Helps

Safeguard is built for exactly this failure mode: trusted software and appliances quietly becoming the attack path into defense contractor networks. Safeguard continuously generates and verifies SBOMs across your software supply chain, so a state-sponsored SBOM exploit targeting a transitive dependency or vendor component doesn't sit undetected for months the way SUNBURST did. Vulnerability findings are automatically correlated with CVSS severity, CISA KEV status, and EPSS exploitation-probability data, so security teams can prioritize the handful of CVEs — like CVE-2020-10148 or the CVE-2023-46805/CVE-2024-21887 chain — that represent real, active nation-state supply chain attack defense contractors face, instead of triaging thousands of low-signal findings.

For organizations in the defense industrial base, Safeguard maps vulnerability and provenance data to the compliance frameworks that matter — CMMC, NIST SP 800-171, and SOC 2 — turning supply chain risk visibility into audit-ready evidence rather than a one-time scan result. Combined with build provenance verification and continuous monitoring for anomalous vendor updates, Safeguard is designed to shorten the gap between "a nation-state actor compromised a trusted vendor" and "we detected it," which is the single most important variable in every case study above.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.