Two Ivanti Zero-Days Actively Exploited in the Wild

Written by

Ivanti customers have been urged to follow the security vendor’s suggested workaround after it confirmed that two zero-day vulnerabilities in its Connect Secure and Policy Secure gateways are being actively exploited.

Connect Secure is a VPN product while Policy Secure is a network access control (NAC) solution.

Security vendor Volexity yesterday claimed that a Chinese state actor tracked as UTA0178 was behind the attacks. It said the group may have been exploiting CVE-2023-46805 and CVE-2024-21887 as far back as December 3 2023 to place webshells on victim organizations’ internal and external-facing web servers.

The zero-day vulnerabilities affect all supported versions of Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure, and Ivanti Policy Secure gateways.

CVE-2023-46805 is an authentication bypass vulnerability in the web component of the two products that allows remote attackers to access restricted resources by bypassing control checks, Ivanti said in an advisory. It has a CVSS score of 8.2.

CVE-2024-21887 is a command injection vulnerability in the web components of the products which allows an authenticated administrator to send specially crafted requests that execute arbitrary commands on the appliance. It can be exploited over the internet and is given a CVSS score of 9.1.

The two can be chained to potentially devastating effects.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” Ivanti warned.

Action1 president and co-founder, Mike Walters, claimed that a Shodan search reveals around 15,000 Ivanti devices currently exposed online.

“Exploitation can lead to arbitrary command execution, MFA bypass, and potentially full system compromise,” he explained. “Organizations that have not yet applied available mitigations and those lacking proper security measures like firewalls and intrusion detection systems are likely to experience the most severe consequences.”

Read more: A Guide to Zero-Day Vulnerabilities and Exploits for the Uninitiated

Five Malware Families Associated with the Campaign

Google-owned Mandiant also identified advanced persistent threat (APT) groups currently exploiting the vulnerabilities, although the firm has not yet attributed the malicious activity to any specific group, Charles Carmakal, Mandiant Consulting CTO at Google Cloud, told Infosecurity.

The firm revealed that the threat actor was using five different malware families to conduct its exploitation campaign: The Zipline passive backdoor, the Thinspool dropper, the Lightwire and Wirefire webshells and the Warpwire credential harvester.

“These tools allow the threat actors to circumvent authentication and provide backdoor access to these devices,” the report said.

Patches Not Yet Available

Ivanti said it is aware of “less than 10 customers” impacted by these exploits, although it cautioned that the situation is still evolving.

“We have seen evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT,” it said.

“We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. We regularly provide updates to the external and internal ICT, so customers should always ensure they are running the latest version of each.”

Patches will not be available until the week of January 22, and even then Ivanti is releasing them in a staggered schedule according to product version. In the meantime, it has released a series of mitigation steps that customers are urged to follow immediately.

“It is crucial for organizations to take immediate action by importing the available mitigation release from Ivanti’s download portal,” said Walters. “The clock is ticking.”

Mandiant’s Carmakal confirmed the number of identified victims.

“The known zero-day exploitation was performed by a single threat group, but it’s probable that other threat actors will be able to develop exploit code and exploit it for a variety of motivations. We implore organizations to run the new integrity checker tool provided by Ivanti to assess if their device was compromised already [and] we urge them to deploy the mitigations that Ivanti published ASAP," he told Infosecurity.

Ivanti Products' Vulnerabilities Exploited in the Past

Ivanti products have previously been exploited by suspected Chinese state hackers. In July, they targeted CVE-2023-35078 and CVE-2023-35081 in the firm’s Endpoint Manager Mobile (EPMM) product to compromise several Norwegian government agencies.

Read more about Ivanti vulnerabilities: Ivanti Patches Zero-Day Bug Used in Norway Attacks

In April 2021, prior to Ivanti’s acquisition of Pulse Secure, Chinese hackers exploited another critical zero-day bug in the Pulse Connect Secure product.

Updated on January 15, 2024. Additional reporting by Kevin Poireault. 

What’s hot on Infosecurity Magazine?