Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN

Considering the extensive reach of Ivanti, I wanted to alert everyone with the news. Please review the details provided by Ivanti below. A vendor post is also included for security professionals seeking Indicators of Compromise (IOCs). I am not affiliated with this organization; they were the first to identify the vulnerabilities.

Ivanti has publicly disclosed the CVEs associated with these vulnerabilities. A patch is unlikely to be available before the week of January 22. However, there are mitigation steps that can be taken.

https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

##CVE-2023-46805
CVSS : 8.2
A vulnerability allowing authentication bypass in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure, enabling remote attackers to access restricted resources by circumventing control checks.

##CVE-2024-21887
CVSS : 9.1
A command injection vulnerability in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, allowing an authenticated administrator to send specially crafted requests to execute arbitrary commands on the device.

Strange how this doesn’t seem to attract more comments given their prominence in this space.

We promptly deployed the mitigation, and as far as we can tell, we weren’t impacted. It’s just unfortunate there’s no straightforward way to verify the presence of the second vulnerability.