New Ivanti Connect Secure Zero-Day Exploited by Threat Actors

Software company Ivanti has recently raised the alarm about two new vulnerabilities impacting its products: Connect Secure, Policy Secure and ZTA gateways. Read on to learn more.  

Tell me more about the Ivanti zero-days  

The first of these vulnerabilities, tagged as CVE-2024-21893, is a zero-day flaw that’s currently being actively exploited. This flaw is a server-side request forgery issue in the SAML component of the gateways, which allows attackers to sidestep authentication and gain access to restricted areas on the affected devices. The second vulnerability, CVE-2024-21888, is found in the gateways’ web component and allows attackers to escalate their privileges to an administrator level.  

Ivanti has also rolled out patches for two previously disclosed zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) that have been weaponized in attacks since January 11 to deploy malware on vulnerable devices. On January 30 alone, over 460 compromised Ivanti VPN devices were discovered. In response to the widespread exploitation of these vulnerabilities, the United States Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive (ED 24-01). 

These attacks have victimized a wide range of organizations, from government and military entities to companies in the banking, finance, telecommunications, aerospace and technology sectors, including Fortune 500 companies.  

What is Nuspire doing?  

Nuspire is proactively applying patches as per vendor recommendations and conducting threat hunting in client environments to detect any signs of compromise. 

How should I protect myself from the Ivanti zero-day vulnerabilities? 

If your organization uses Ivanti Connect Secure, Policy Secure and/or ZTA gateways, you should take the following actions: 

1. Immediately Apply Patches: Ivanti has released security patches for some affected ZTA and Connect Secure versions. Make sure these patches are applied promptly, per their advisory. 
2. Implement CISA’s Emergency Directive: To mitigate the identified vulnerabilities, federal agencies are required to comply with CISA’s emergency directive ED 24-01. This directive includes actions such as disconnecting all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from networks, continuing threat hunting on any systems connected to the affected Ivanti products and auditing privilege-level access accounts. 

The exploitation of these vulnerabilities highlights the importance of maintaining up-to-date security measures and promptly addressing identified vulnerabilities. By taking these steps, organizations can better safeguard their systems and data from potential threats.