China Linked Houken Hackers Breach French Systems with Ivanti Zero Days

ANSSI report details the Chinese UNC5174 linked Houken cyberattack using Ivanti zero-days (CVE-2024-8190, 8963, 9380) against the French government, defence and finance sector.

In a report published by ANSSI on July 1, 2025, the French cybersecurity agency revealed a highly skilled cybercrime group, dubbed Houken, has carried out a sophisticated attack campaign exploiting multiple zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380) in Ivanti Cloud Service Appliance (CSA) devices.

This group, believed to be linked to the Chinese threat actor UNC5174, infiltrated high-value targets across France. Affected sectors included government bodies, defence organizations, telecommunications providers, financial institutions, media outlets, and transport networks.

The attacks were first observed in September 2024, targeting French entities seeking initial access to their networks. These zero-day vulnerabilities, meaning they were unknown to Ivanti and the public until exploited, allowed the attackers to remotely execute code on vulnerable devices.

ANSSI’s investigation revealed that this group uses complex ...