Vulnerability Alerts

5 mins

Active exploitation of Ivanti Connect Secure and Policy Secure Gateways

Two new high-severity vulnerabilities for Ivanti Connect Secure and Policy Secure Gateways have been discovered and active exploitation is occurring. 

Both Invanti solutions are vital in maintaining secure connectivity and enforcing policies within organizational network infrastructures. Based on evidence, the Cybersecurity and Infrastructure Security Agency (CISA) has added one of the vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog. Organizations should immediately apply the mitigation and apply patches when they are available.

Overview of the Ivanti Vulnerabilities

In January 2024 four Ivanti vulnerabilities were discovered. On January 10,  CVE-2023-46805 and CVE-2024-21887 were reported by Ivanti, as shown in the table below. During the investigation of these vulnerabilities CVE-2024-21888 and CVE-2024-21893 were discovered. Ivanti has announced that several of its customers are impacted by CVE-2024-21893, which has a CVSS score of 8.2, and CISA has added it to the KEV catalog

CVE Designation Severity rating (CVSS 3.1) Advisory Date
CVE-2023-46805 8.2 January 10, 2024
CVE-2024-21887 9.1 January 10, 2024
CVE-2024-21888 8.8 January 31, 2024
CVE-2024-21893 8.2 January 31, 2024
 

These vulnerabilities impact Ivanti Connect Secure and Ivanti Policy Secure products. These vulnerabilities impact all supported versions – Version 9.x and 22.x.

According to Ivanti’s KB article , their ZTA gateways are also vulnerable but cannot be exploited when deployed in a production environment. Reportedly, the ZTA gateways can only be exploited when a gateway “is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway.” 

“The disclosure of vulnerabilities within Ivanti Connect Secure underscores critical cybersecurity concerns, with potential impacts extending beyond Ivanti's ecosystem. These vulnerabilities, including authentication bypass and privilege escalation, demand immediate attention to mitigate risks and safeguard affected systems.”

Olivier Beg, Head of Hacking, 2024

Impact and Mitigations

Successful exploitation of the vulnerabilities could result in authentication bypass and command injection which can lead to compromise the network. According to Mandiant and Volexity several APT groups have been identified using the flaw compromising thousands of devices worldwide.

Additionally, CISA has issued an alert stating that Ivanti’s initial mitigations and detection methods have been subverted. They state that “threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection.” 

Actionable Recommendations

  • Install patches - Patches for the vulnerabilities should be applied as soon as they are available. Invanti is releasing the patches in phases so organizations may need to monitor for when an applicable patch is available. If a patch is not available organizations should review the mitigation methods.
  • Apply mitigations - Ivanti has released a KB article with mitigation instructions. The mitigations do not need to be applied if patches have been applied. Due to the development of workarounds by threat actors organizations should review the mitigations they have applied and ensure they are following the latest instructions. 
  • Conduct threat hunting - Due to the active exploitation of the vulnerabilities organizations should undertake threat hunting to identify signs of compromise and attempts to maintain persistance.

The severity of these vulnerabilities again highlights the importance of maintaining up-to-date software and robust security measures to protect critical infrastructure from emerging threats. By implementing exposure management and identifying risks before they are exploited organizations can improve their security posture, get in touch with our experts to learn more.

Book a demo

Get started scanning in 5 minutes

We only need your domain for our system to get started autonomously scanning your attack surface.

Book a demo

dashboard