Skip to main content
close search
site logo
Dive Brief

Ivanti pledges security overhaul after critical vulnerabilities targeted in lengthy exploit spree

CEO Jeff Abbott said significant changes are underway. The beleaguered company committed to improve product security, share learnings and be more responsive to customers.

Published April 4, 2024
David Jones's headshot
Reporter
Hooded person types on computer in a dark room with multiple monitors and cables everywhere.
Hooded hacker breaking into corporate data servers from an underground hideout. gorodenkoff via Getty Images

Dive Brief:

  • Ivanti initiated an overhaul of its internal security practices after critical vulnerabilities in the company’s core product line were exploited over a months-long campaign linked to a suspected nation-state threat actor. 
  • Ivanti CEO Jeff Abbott issued a letter and video statement on Wednesday pledging to revamp its product security, vulnerability management and fully embrace secure by design and secure by default principles. Abbott said the company will make drastic improvements to become more responsive to customers and work more closely with key government agencies in an effort to share learnings and critical information. 
  • “This activity has brought one of our products to the forefront of conversation regarding recently reported security incidents,” Abbott said in the letter. “We have responded by working diligently to protect and support our customers, and we are taking a very close look at our own posture and processes to ensure we are well prepared to address the current landscape.”

Dive Insight:

The threat activity, which began in December, led to widespread exploitation of zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure products. The initial exploitation was linked to an authentication-bypass vulnerability, listed as CVE-2023-46805 and a command-injection vulnerability, listed as CVE-2024-21887

The vulnerabilities, when chained together, allowed outside attackers to gain remote code execution and take over devices. 

The Cybersecurity and Infrastructure Security Agency issued a directive in January for Federal Civilian Executive Branch agencies to mitigate the vulnerabilities. Ivanti released an initial security patch for the vulnerabilities in late January, after a delay. 

CISA was breached in a late January attack linked to the Ivanti vulnerabilities. An attacker gained access to the CISA Gateway and the agency’s Chemical Security Assessment Tool, which may have compromised up to 100,000 people. 

The attack was not publicly known until March, after the Five Eyes issued a global advisory in late February warning of continued exploitation. 

In the video, Abbott said the company will work more closely with intelligence agencies to stay on top of threats and that it would back up its security pledge with new investments. 

CISA Director Jen Easterly welcomed the pledge from Ivanti on Wednesday as an indication of corporate responsibility. 

“Encouraged to see this statement from @GoIvanti CEO Jeff Abbott taking ownership of security outcomes for customers and committing to move forward on the path to secure by design technology,” Easterly said in a post on X, the site formerly known as Twitter. 

Ivanti also disclosed new vulnerabilities found in Ivanti Connect Secure and Ivanti Policy Secure, including CVE-2024-21894, CVE-2024-22052, CVE-2024-22053 and CVE-2024-22023, in a blog post Wednesday

The company said a patch is available for the recently disclosed vulnerabilities alongside an updated, external integrity checker tool.

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell