Renewed threats to Ivanti VPNs surface following the initial patch release and the emergence of new Critical Vulnerabilities (CVEs)
In the past few days, Ivanti Connect Secure and Ivanti Policy Secure Gateways have faced renewed exploitation, just days after a patch for two zero-day vulnerabilities was released.
The server-side request forgery vulnerability, identified as CVE-2024-21893, has been chained together with CVE-2024-21887 for unauthenticated command injection. This chain of vulnerabilities has been exploited by a suspected China-nexus threat actor, leading to the installation of malicious webshells on thousands of devices worldwide.
Security researchers have observed increased activity leading up to the patch and new activity since. Volexity researchers report seeing new backdoors dropped in recent days.
Ivanti has been actively working with customers to help them apply patches and mitigate the risks. They have also been working closely with Mandiant on mitigation efforts.
The current status is that recent zero-day vulnerabilities affecting Ivanti Connect Secure, Ivanti Policy Secure, and related gateways have been patched. Customers who have updated to the latest versions are not considered vulnerable. Ivanti released patches addressing multiple critical flaws, including heap-based buffer overflows and stack-based buffer overflows.
To date, there have been no widely reported successful exploits against fully patched systems. Ivanti emphasizes the importance of staying updated to mitigate risk. They strongly recommend running their Integrity Checker Tool before and after applying updates to detect any compromise and monitoring systems post-update.
For organizations that have not yet updated, the best bet is to follow the factory reset process, do a fresh install, and fully patch. The Cybersecurity and Infrastructure Security Agency issued a supplemental directive for Federal Civilian Executive Branch agencies to disconnect affected Ivanti products by Feb. 2.
It is essential to note that Stephen Fewer, principal security researcher at Rapid7, was misidentified in a previous version of this article. We regret the error and apologize for any confusion caused.
In summary, exploitation is mainly a risk for unpatched or outdated installations. Customers are urged to promptly apply patches and use Ivanti’s security tools to verify system integrity to protect their systems against the known zero-day vulnerabilities.
Cybersecurity professionals should prioritize applying patches for Ivanti Connect Secure and Ivanti Policy Secure Gateways to address the recently discovered vulnerabilities. Neglecting data-and-cloud-computing systems could potentially expose organizations to the threat of cyber attacks, as the technology used by the suspected threat actor could exploit these unpatched systems.
){kind=link}