Ivanti has warned users of two zero-day vulnerabilities in its Connect Secure and Policy Secure gateways that have already attracted hackers’ attention. The firm confirmed active exploitation of the flaws to target a small number of customers. Since Ivanti has released appropriate mitigation, users must ensure protecting their systems by applying the mitigation until the patches arrive.
Ivanti Connect Secure Zero-Day Flaws
As disclosed through a recent advisory, Ivanti addressed two severe zero-day flaws affecting its Connect Secure and Policy Secure gateways.
Specifically, the two vulnerabilities include the following.
- CVE-2024-21887 (CVSS 9.1): A command injection vulnerability in the web components of the two Ivanti products. Exploiting the flaw merely required an authenticated adversary o send maliciously crafted requests to execute arbitrary commands on the target appliance.
- CVE-2023-46805 (CVSS 8.2): An authentication bypass affecting the web components of Ivanti’s ICS and Policy Secure gateways. A remote attacker could exploit the flaw to bypass control checks and access restricted resources.
Mitigation Released – Patches to Arrive Soon!
Ivanti confirmed that both vulnerabilities affect all supported versions – Version 9.x and 22.x. While the firm is yet to release stable patches for the flaws, they have released mitigation to protect vulnerable systems meanwhile.
The vulnerabilities first caught the attention of security researchers from Volexity, who observed the two flaws exploited in a chained manner. The threat actor behind the exploit, as reported, attempted to implant backdoor on the software. Volexity’s blog post shares details about these findings.
Though Ivanti has released the mitigations to prevent the exploit, Volexity explained that applying the mitigation “doesn’t remedy a past or ongoing compromise.” Nonetheless, applying the mitigations is still important to prevent a future exploit, especially for the yet safe but vulnerable devices.
The researchers also advise the users to run thorough security analyses for possible breach signs. Besides, for compromised cases, Volexity recommends rebuilding the ICS VPN appliance, resetting stored credentials and other data, and gathering logs and system snapshots for appropriate analyses. Moreover, organizations should also check for potential lateral movement on the network to detect any other compromised systems.
Let us know your thoughts in the comments.