Skip to main content
close search
site logo
Dive Brief

Ivanti Connect Secure devices face active exploitation, patch schedule staggered

Unauthenticated attackers can take control of systems by exploiting the zero days, which a suspected state-linked threat actor is chaining together.

Published Jan. 11, 2024
David Jones's headshot
Reporter
cybersecurity, talent shortage, retention, leadership
Getty Images via Getty Images

Dive Brief:

  • Suspected state-linked hackers have been exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN devices since early December, according to research released Wednesday by Volexity. 
  • The vulnerabilities, which are chained together, allow attackers to remotely execute commands without authentication. The attacker, who researchers track as UTA0178, downloaded remote files, stole configuration data and modified existing files in targeted systems. 
  • Ivanti is working with Mandiant to mitigate the threat, but it is releasing patches under a staggered schedule starting the week of Jan. 22, according to the company. A final version will not be ready until the week of Feb. 19. Ivanti is urging customers to immediately take mitigation steps designed to protect against these attacks.

Dive Insight:

The vulnerabilities are tracked as CVE-2023-46805, an authentication-bypass vulnerability, with a CVSS score of 8.2, and CVE-2024-21887, a command injection vulnerability with a score of 9.1.

Volexity initially detected threat activity in mid-December but later traced exploits back to Dec. 3.

The attackers were observed modifying legitimate ICS components and making other changes in order to evade an ICS Integrity Checker Tool, according to Volexity. 

The attacker accessed a legitimate CGI file on the appliance via backdoor, allowing for command execution. A JavaScript file used by the Web SSL VPN component was also modified to keylog and exfiltrate credentials. 

Volexity researchers do not consider the current level of threat activity widespread. However, with mitigation steps being released, the exploit could be shared by threat groups and the timetable moved up, Steven Adair, president of Volexity, said via email. 

“It would not surprise us to see more widespread exploitation moving forward,” Adair said. 

Researchers from Tenable also warned that exploitation could accelerate due to the staggered release of a patch. 

“Three weeks is a large window of time for attackers to develop their own or acquire from an external third party a working proof-of-concept exploit for these vulnerabilities,” said Satnam Narang, senior staff research engineer at Tenable.

The Cybersecurity and Infrastructure Security Agency added the vulnerabilities to its Known Exploited Vulnerabilities catalog, noting a significant risk to federal enterprises.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell