In April 2021, Mandiant (FireEye) and CISA disclosed that at least two Chinese APT groups (tracked as UNC2630 and UNC2717, attributed to APT5 / MANGANESE) had been exploiting zero-day and N-day vulnerabilities in Pulse Connect Secure VPN appliances since at least mid-2020. The primary zero-day, CVE-2021-22893, allowed unauthenticated remote code execution. Targets included US defense contractors, financial organizations, and government agencies. The attackers deployed multiple sophisticated malware families including SLOWPULSE, RADIALPULSE, HARDPULSE, and QUIETPULSE to maintain persistent access and bypass authentication. CISA issued Emergency Directive 21-03 requiring all federal agencies to run Ivanti’s Integrity Checker Tool and report affected devices. At least 12 US organizations were confirmed compromised. The attackers demonstrated deep knowledge of Pulse Secure’s internal authentication code, suggesting prior access to the VPN software’s source code or extensive research. The incident demonstrated the severe risk of VPN appliances as initial access vectors — particularly for nation-state attackers willing to invest in zero-day research.