Ivanti Connect Secure and Policy Secure Vulnerability Under Mass Exploitation

A zero day vulnerability affecting Ivanti Connect Secure and Ivanti Policy Secure that was disclosed by Ivanti on January 31, 2023, is now under mass exploitation by multiple threat actors. The vulnerability is tracked as CVE-2024-21893 and is a server-side request forgery (SSRF) flaw that allows remote attackers to bypass authentication and access restricted resources on vulnerable devices. The vulnerability affects versions 9.x and 22.x.

Palo Alto Networks reports that there were 28,474 exposed instances of Ivanti Connect Secure and Policy Secure exposed to the Internet between January 26, 2024, and January 30, 2024, and as of January 23, 2024, 610 compromised instances had been detected. That number is likely to have grown considerably since a proof-of-concept exploit for the flaw was released by Rapid7 on February 2, 2024. By the time the PoC exploit was released, the flaw was already being exploited by multiple threat groups to gain full access to vulnerable devices. The Rapid7 PoC exploit involves chaining CVE-2024-21893 with a previously disclosed vulnerability, CVE-2024-21887.

According to researchers at Shadowserver, the latest vulnerability has been targeted more than any other recently mitigated or patched Ivanti flaw. The researchers have tracked 170 IPs attempting to exploit the vulnerability. Three other recently disclosed vulnerabilities (CVE-2024-21887, CVE-2023-46805, and CVE-2023-35078) are also being actively exploited, although to a lower degree. CVE-2024-21887 and CVE-2023-46805 are being exploited by a Chinese espionage group tracked as UNC8221 to install webshells and backdoors on vulnerable devices, although exploit activity is falling from a mid-January peak.

With several zero-day vulnerabilities in Ivanti Connect Secure and Policy Secure under active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a directive instructing all federal agencies to disconnect their appliances immediately until they could be updated and secured through a factory reset and an update to the latest firmware version. All users of these appliances should take CISA’s advice and do the same.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news