Ivanti has issued a warning regarding two significant vulnerabilities impacting its Connect Secure and Policy Secure products. One of these vulnerabilities has reportedly been subjected to targeted exploitation in the wild, elevating concerns among users and security professionals alike. Detailed information about these vulnerabilities can be found via Ivanti’s official communication channels.
The first vulnerability, identified as CVE-2024-21888, carries a CVSS score of 8.8, categorizing it as a high-severity privilege escalation flaw. This particular vulnerability affects the web components of Ivanti Connect Secure and Ivanti Policy Secure in versions 9.x and 22.x, allowing unauthorized users to elevate their access to administrative privileges.
The second vulnerability, CVE-2024-21893, has a CVSS score of 8.2 and manifests as a server-side request forgery issue affecting the SAML component across the same versions of Ivanti’s products, as well as Ivanti Neurons for ZTA. This vulnerability permits attackers to access certain restricted resources without the need for authentication, presenting a serious risk to affected systems.
Based in Utah, Ivanti has stated that, to date, there’s no evidence of customers being adversely impacted by CVE-2024-21888. However, the company has acknowledged that CVE-2024-21893 appears to be actively targeted, impacting a limited number of its customers. This acknowledgement underlines the pressing nature of the threat, particularly given the evolving tactics employed by threat actors.
As part of its response to these vulnerabilities, Ivanti has released patches for various versions of its Connect Secure and ZTA products. The company has recommended that customers perform a factory reset of their appliances prior to applying the patch, a precaution aimed at preventing potential persistent access points for the attackers. Users should be prepared for this process, which is expected to take approximately 3 to 4 hours.
In light of these vulnerabilities, temporary mitigations have also been advised. Users are instructed to import the “mitigation.release.20240126.5.xml” file to help safeguard their systems while longer-term fixes are implemented.
The recent advisories coincide with reports of ongoing exploitation of other vulnerabilities within the same product lines, particularly CVE-2023-46805 and CVE-2024-21887. These flaws are reportedly being exploited by multiple threat actors to deploy backdoors and cryptocurrency mining tools, raising the stakes for enterprises relying on these solutions.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the urgency of the situation, noting that attackers are using the identified vulnerabilities to compromise enterprise networks. Concerns have been raised about the sophistication of recent attacks, with threat actors developing methods to circumvent detection measures while executing lateral movements and privilege escalation.
The specifics of the vulnerabilities suggest that tactics from the MITRE ATT&CK framework, including initial access, privilege escalation, and lateral movement, may be relevant in understanding the attack techniques employed. Stakeholders in the cybersecurity field are advised to remain vigilant in monitoring these developments, given the potential for increased exploitation once these details become public.
In conclusion, business owners must prioritize patching and applying recommended mitigations to protect their systems from these high-severity vulnerabilities. Ensuring proactive measures are in place will be essential to safeguarding sensitive data and maintaining operational integrity in an increasingly hostile cyber landscape.
