CISA Emergency Directive Orders Action on Ivanti Zero-Days
A leading US security agency has issued an emergency directive requiring all of the government’s civilian federal agencies to mitigate two zero-days under active exploitation.
Emergency Directive 24-01 was issued on Friday in response to “widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure.”
CISA director, Jen Easterly, argued that the vulnerabilities pose “significant, unacceptable risks” not only to government agencies but all organizations.
“As America’s cyber-defense agency and the operational lead for federal civilian cybersecurity, we must take urgent action to reduce risks to the federal systems upon which Americans depend,” she added.
“Even as federal agencies take urgent action in response to this directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this directive.”
Read more on Ivanti zero-days: Ivanti Patches Zero-Day Bug Used in Norway Attacks
Ivanti first disclosed the vulnerabilities on January 10, although it’s believed they had been under active exploitation by a Chinese state actor since December 3.
When chained, CVE-2023-46805 and CVE-2024-21887 enable threat actors to craft malicious requests and execute arbitrary commands on the system, without needing to authenticate first.
Last week, researchers at Volexity revealed that the bugs were under active exploitation by a number of threat groups, with over 1700 devices already compromised.
Patches from security vendor Ivanti are slated to start rolling out this week, but the firm has also released a mitigation, which CISA has requested impacted organizations download.
“This directive requires agencies to implement Ivanti’s published mitigation immediately to the affected products in order to prevent future exploitation,” it noted.
“As this initial action does not remedy an active or past compromise, agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if indications of compromise are detected.”