Ivanti’s Critical Security Alert: Two Zero-Days Exploited in the Wild

Ivanti, a well-known software company, has revealed two critical zero-day vulnerabilities in its Connect Secure and Policy Secure products. These vulnerabilities are already exploited by attackers.

The first of these vulnerabilities, labeled CVE-2023-46805 and rated 8.2 on the Common Vulnerability Scoring System (CVSS), is an alarming authentication bypass in the gateways’ web component. This flaw allows attackers to access restricted resources by sidestepping control checks.

The second, more severe vulnerability, tracked as CVE-2024-21887 with a CVSS score of 9.1, is a command injection flaw. This vulnerability enables authenticated admins to execute arbitrary commands on vulnerable appliances by sending specially crafted requests.

CVE-2023-46805 CVE-2024-21887

The real danger emerges when these two zero-days are combined. Cybersecurity firms Mandiant and Volexity, who first reported these vulnerabilities, noted that chaining CVE-2023-46805 and CVE-2024-21887 allows attackers to run arbitrary commands on all supported versions of the impacted products. This ability to execute commands without needing authentication turns these vulnerabilities into a formidable tool for attackers.

Threat intelligence company Volexity, having observed these zero-days being exploited as early as December, believes the attacks are the work of a Chinese state-backed threat actor. This revelation adds an extra layer of complexity and urgency to the situation.

Also, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today that state hackers have been exploiting these two flaws. CISA also ordered federal agencies to patch their systems against CVE-2023-46805 and CVE-2024-21887 exploitation by January 31.

Ivanti has responded proactively, stating, “We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected.” The company has advised its customers to implement mitigations immediately and is working on releasing patches on a staggered schedule, with the first version expected the week of January 22 and the final version by the week of February 19.

In the interim, customers can mitigate the risk by importing the mitigation.release.20240107.1.xml file, available on Ivanti’s download portal. This step is crucial to protect against potential exploits until patches are fully available.