UPDATE: Ivanti Connect Secure Zero-Day Now Under Mass Exploitation

We’ve recently posted information about the Ivanti zero-day situation. We now have confirmation that the Ivanti Connect Secure zero-day is being exploited on a large scale. Here’s what you need to know.  

Tell me more about the Ivanti Connect Secure zero-day 

The vulnerability, identified as CVE-2024-21893, affects Ivanti Connect Secure and Ivanti Policy Secure servers. Ivanti first announced this server-side request forgery (SSRF) flaw on Jan. 31, 2024; it allows unauthorized individuals to bypass authentication mechanisms and access restricted resources on the affected devices, specifically versions 9.x and 22.x. 

Initially, the exploitation of this vulnerability was limited, affecting a small group of customers. However, the situation has escalated significantly, with threat monitoring services reporting at least 170 distinct IP addresses attempting to exploit it. 

This rise in exploitation attempts signals a growing interest in this specific vulnerability over other Ivanti issues that have been addressed recently. The Cybersecurity & Infrastructure Security Agency (CISA) has taken the unprecedented step of releasing a supplement to their previous Emergency Direction (ED 24-01), requiring agencies running affected products to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solutions from agency networks as soon as possible. 

The situation was further complicated by the security researchers’ release of a proof-of-concept exploit, which facilitated the exploitation efforts. It’s important to note that attackers had begun exploiting the vulnerability before this information was publicly available. The broader context includes the discovery of additional zero-day vulnerabilities within Ivanti products, leading to increased scrutiny from cybersecurity authorities and recommendations for stringent measures to protect against these vulnerabilities. 

What is Nuspire doing?  

At Nuspire, we are committed to ensuring the security of our clients. We actively apply patches in accordance with vendor recommendations and threat hunt client environments for indications of compromise. Our team is constantly monitoring the situation and will provide updates as necessary. 

How should I protect myself from the Ivanti Connect Secure zero-day? 

If your organization is using Ivanti Connect Secure and Policy Secure, it’s crucial to take immediate action. Here are the steps you should follow: 

  1. Verify your version: Determine if your devices are running vulnerable versions (9.x and 22.x). If so, prioritize patches from Ivanti as per their advisory. 
  2. Apply patches: Ivanti has stated that the patch is available now via the standard download portal. Applying these patches as soon as possible is critical to protect your systems. 
  3. Stay informed: Keep up-to-date with the latest information from trusted sources like Nuspire, Ivanti and CISA. 

 We at Nuspire are committed to providing you with the latest information and recommendations to help you navigate these challenges. Stay tuned for more updates on this and other cybersecurity issues. 

Have you registered for our next event?