Two Ivanti Zero-Days Actively Exploited in the Wild
Ivanti customers have been urged to follow the security vendor’s suggested workaround after it confirmed that two zero-day vulnerabilities in its Connect Secure and Policy Secure gateways are being actively exploited.
Connect Secure is a VPN product while Policy Secure is a network access control (NAC) solution.
Security vendor Volexity yesterday claimed that a Chinese state actor tracked as UTA0178 was behind the attacks. It said the group may have been exploiting CVE-2023-46805 and CVE-2024-21887 as far back as December 3 2023 to place webshells on victim organizations’ internal and external-facing web servers.
The zero-day vulnerabilities affect all supported versions of Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure gateways.
CVE-2023-46805 is an authentication bypass vulnerability in the web component of the two products that allows remote attackers to access restricted resources by bypassing control checks, Ivanti said in an advisory. It has a CVSS score of 8.2.
CVE-2024-21887 is a command injection vulnerability in the web components of the products which allows an authenticated administrator to send specially crafted requests which execute arbitrary commands on the appliance. It can be exploited over the internet and is given a CVSS score of 9.1.
The two can be chained to potentially devastating effect.
“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” Ivanti warned.
Action1 president and co-founder, Mike Walters, claimed that a Shodan search reveals around 15,000 Ivanti devices currently exposed online.
“Exploitation can lead to arbitrary command execution, MFA bypass, and potentially full system compromise,” he explained. “Organizations that have not yet applied available mitigations and those lacking proper security measures like firewalls and intrusion detection systems are likely to experience the most severe consequences.”
Patches Not Yet Available
Ivanti said it is aware of “less than 10 customers” impacted by these exploits, although it cautioned that the situation is still evolving.
“We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT,” it said.
“We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. We regularly provide updates to the external and internal ICT, so customers should always ensure they are running the latest version of each.”
Patches will not be available until the week of January 22, and even then Ivanti is releasing them in a staggered schedule according to product version. In the meantime, it has released a series of mitigation steps that customers are urged to follow immediately.
“It is crucial for organizations to take immediate action by importing the available mitigation release from Ivanti’s download portal,” said Walters. “The clock is ticking.”
Ivanti products have previously been exploited by suspected Chinese state hackers. In July, they targeted CVE-2023-35078 and CVE-2023-35081 in the firm’s Endpoint Manager Mobile (EPMM) product to compromise several Norwegian government agencies.
Read more about Ivanti vulnerabilities: Ivanti Patches Zero-Day Bug Used in Norway Attacks
In April 2021, prior to Ivanti’s acquisition of Pulse Secure, Chinese hackers exploited another critical zero-day bug in the Pulse Connect Secure product.
