Skip to content

Ivanti has recently disclosed two high-severity zero-day vulnerabilities affecting its Connect Secure and Policy Secure gateway products that are reportedly being exploited.

The Vulnerabilities:

CVE-2023-46805 – This vulnerability allows authentication bypass on Ivanti Connect Secure VPN gateways via a malicious HTTP request. Threat actors can leverage this to access internal systems without credentials.

CVE-2024-21887 – A command injection flaw that enables unauthenticated remote code execution on Ivanti Policy Secure gateways. This allows a complete takeover of the server.

These vulnerabilities were uncovered by researchers at cybersecurity firm Volexity who observed active exploitation in attacks attributed to the Deep Panda hacking group.  The attacks have been targeting government, military and financial organisations globally since at least January 2023.

Impacts of Exploitation:

Successful exploitation of these zero-day flaws could have severe impacts including:

  • Data breaches – Attackers can exfiltrate sensitive data from internal networks.
  • Ransomware attacks – Compromised gateways provide an entry point for deploying ransomware.
  • Infrastructure takeover – Ability to control key network infrastructure.
  • Persistent access – Threat actors can maintain a long-term foothold in networks.
  • Further compromise – Pivot to attack other systems on the network.

Recommended Actions:

Ivanti has released security updates to address the vulnerabilities in impacted products:

  • Connect Secure – Update to release 21.1 or later
  • Policy Secure – Update to release 10.2 or later
  • Organisations using vulnerable Ivanti gateways should immediately apply these patches to mitigate risks of exploitation. Disconnecting impacted gateways from VPN service until patched is also recommended.

Additionally, Ivanti advises customers to take these proactive security measures:

  • Enforce multi-factor authentication for VPN and admin consoles.
  • Segment networks to limit lateral movement.
  • Monitor VPN traffic for signs of compromise.
  • Employ endpoint detection and response tools.
  • Frequently patch and update internet-facing services.
  • Conduct cyber security awareness training for employees.

By taking swift action to patch vulnerabilities and adopting a proactive security posture, organisations can protect themselves against threats targeting the latest zero-day exploits. This case highlights the growing sophistication of cyber-attacks and the importance of coordinated disclosure and response when critical flaws are uncovered.