Enterprise IT software Ivanti issues urgent warning on two critical zero-day vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive instructing federal agencies to immediately disconnect Ivanti VPN appliances within 48 hours, with the deadline being 1:59 PM on Friday, 2 February, 2024.
Ivanti, a leading enterprise IT software vendor, is urgently drawing attention to two newly discovered high-severity vulnerabilities in its Connect Secure and Policy Secure VPN products. The company has issued a warning, emphasising that one of these bugs was identified during an investigation into ongoing zero-day attacks.
This alert coincides with Ivanti’s belated release of patches for critical vulnerabilities exploited by multiple hacking groups, intensifying the need for Ivanti customers to promptly test and deploy available fixes.
Struggling to adhere to its own patch delivery timeline, Ivanti initiated the rollout of fixes on a staggered schedule, accompanied by documentation addressing two new security defects. In an ongoing investigation into CVE-2023-46805 and CVE-2024-21887, Ivanti identified additional vulnerabilities in Connect Secure, Policy Secure, and Neurons for ZTA.
Ivanti outlined that one of the vulnerabilities facilitates privilege escalation, while the second is a server-side request forgery in the SAML component, enabling a threat actor to access specific restricted resources without authentication.
‘We are aware of a limited number of customers impacted by CVE-2024-21887,’ Ivanti stated.
On the same day as the release of patches for previously disclosed zero-day vulnerabilities, Ivanti warned customers about two new flaws, including a zero-day that is currently being exploited in the wild.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive instructing federal agencies to immediately disconnect Ivanti VPN appliances due to the heightened risk of malicious exploitation stemming from multiple software vulnerabilities.
In an updated emergency directive, CISA now requires all federal civilian executive branch agencies, including entities such as Homeland Security and the Securities and Exchange Commission, to disconnect their Ivanti VPN appliances. This action is prompted by the serious threat posed by several zero-day vulnerabilities that are currently being actively exploited by malicious hackers.
While federal agencies typically have weeks to address and patch vulnerabilities, CISA, in this instance, has mandated the disconnection of Ivanti VPN appliances within a 48-hour timeframe to mitigate the immediate risk, with the deadline being 1:59 PM on Friday, 2 February, 2024.