Dive Brief:

• Ivanti confirmed a patch designed to mitigate two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure will be delayed until this week, according to an updated blog post released Friday.
• The authentication-bypass and command-injection vulnerabilities have been actively exploited since early December, impacting thousands of organizations and leading the Cybersecurity and Infrastructure Security Agency to issue an emergency directive for Federal Civilian Executive Branch agencies. 
• Ivanti has been working with Mandiant to mitigate the threat activity, which has led to the compromise of more than 2,100 systems by a nation state threat actor. Federal officials said the attacks shared some similarities with the Volt Typhoon attacks linked to the People’s Republic of China during mid-2023.

Dive Insight:

Ivanti Connect Secure and Ivanti Policy Secure user have been holding out for the initial patch for weeks amid widespread exploitation of the vulnerabilities. When chained together, the vulnerabilities, listed as CVE-2023-46805 and CVE-2024-21887, allow unauthenticated attackers to achieve remote code execution.

Ivanti previously said an initial patch would be ready the week of Jan. 22, with a final patch scheduled for the week of Feb. 19. 

As of last week, more than 26,000 Connect Secure hosts were exposed to the public internet, according to a blog post from Censys. More than 410 hosts were compromised using a backdoor used to steal credentials, Censys reported. 

Ivanti previously warned administrators not to push configuration to appliances with the XML in place until the appliance was patched. When the configuration was pushed, key web services stopped functioning and the mitigation efforts no longer worked properly. 

CISA previously said about 15 federal agencies were using Ivanti Connect Secure and Ivanti Policy Secure.