Dive Brief:

• Suspected nation state and financially motivated threat groups continued exploitation of Ivanti Connect Secure and Ivanti Policy Secure, almost two weeks after the company released initial security patches for multiple vulnerabilities. 
• Ivanti backtracked on a claim that it internally discovered a new vulnerability last week, listed as CVE-2024-22024, through an internal process. Singapore-based firm watchTowr disclosed the vulnerability, however the company failed to properly credit the security firm for its efforts.
• “We initially flagged the code in question during our internal review,” an Ivanti spokesperson said via email. “Shortly after, watchTowr contacted us through our responsible disclosure program regarding CVE-2024-22024, which we should have acknowledged.”

Dive Insight:

The latest vulnerability demonstrates the complexity of a dynamic process where CVEs are discovered.

Ivanti said the vulnerability involves an XML external entity or XXE vulnerability in the security assertion markup language component of Ivanti Connect Secure, Ivanti Policy Secure and ZTA Gateways. An attacker can gain access to restricted resources without the need to authenticate. 

The watchTowr called out Ivanti for failure to acknowledge its work in discovering the vulnerability, which was backed up by researcher Kevin Beaumont. 

Researchers at watchTowr said the process of accelerated mitigations can lead to new flaws being created. 

“What we’ve recurringly seen is when they speed run these patches they introduce new vulnerabilities,” said Benjamin Harris, founder and CEO at watchTowr, in an interview. 

Shadowserver on Monday reported it is starting to see exploitation activity around the newly discovered vulnerability and threat activity continues on previously discovered vulnerabilities.