Ivanti Zero-Days Exploited By Multiple Actors Globally

Written by

Two zero-day vulnerabilities in Ivanti products revealed last week are being exploited en masse worldwide, with over 1700 devices already compromised, Volexity has warned.

The security vendor said in a blog post yesterday that victims come from a variety of sectors including government, military, telecoms, technology, finance, consulting and aerospace.

“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” it warned.

“On Sunday, January 14 2024, Volexity had identified over 1700 ICS VPN appliances that were compromised with the GiftedVisitor webshell. These appliances appear to have been indiscriminately targeted, with victims all over the world.”

Volexity believes the threat actor behind these compromises is the same Chinese group (UTA0178) first observed exploiting the zero-day vulnerabilities back in December 2023.

However, it warned that other threat actors appear to have access to the exploit and are actively targeting organizations. These include a group named “UTA0188.”

Volexity added that its scans may have uncovered only a fraction of those organizations compromised by attackers.

“This exploitation has affected thousands of machines and may have infected many more. Volexity’s scan methodology would not have worked against organizations that have already deployed the Ivanti mitigation or had otherwise been taken offline,” it concluded.

“As a result, Volexity suspects there may likely be a higher number of compromised organizations than identified through scanning (which totalled more than 1,700). There was likely a period in which UTA0178 could have actioned these compromises before the mitigation was applied.”

Ivanti first published an advisory about the two zero-days on January 10. At the time, it said that fewer than 10 customers were impacted by exploitation of CVE-2023-46805 and CVE-2024-21887: two critical bugs in its Connect Secure and Policy Secure gateways.

Read more about Ivanti zero-days: Two Ivanti Zero-Days Actively Exploited in the Wild

CVE-2023-46805 is an authentication bypass vulnerability in the web component of the two products while CVE-2024-21887 is a command injection vulnerability in the same web components. They can be chained to enable a threat actor to bypass multi-factor authentication, craft malicious requests and execute arbitrary commands for full system compromise.

Patches won’t be released until the week of January 22, and even then, on a staggered schedule according to product version. However, customers are urged to apply the vendor’s mitigation immediately and run an Integrity Checker tool provided by Ivanti.

What’s hot on Infosecurity Magazine?