Share this article on:
Aussie cyber watchdog ACSC releases alert over ongoing exploitation of Ivanti Connect Secure vulnerabilities. UPDATE: Patch is now available
The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) has updated its alert over the exploitation of a pair of vulnerabilities in Ivanti networking products.
As of 24 January, Ivanti had released a set of mitigation guidelines to address the vulnerabilities, but now, the ACSC is reporting that hackers are already getting around that advice.
“ASD’s ACSC is aware of reports that threat actors have developed workarounds to the current mitigation and detection methods, leading to reported ongoing exploitation activity,” the ACSC said in an update to its Ivanti advisory.
“ASD’s ACSC strongly advises organisations operating vulnerable Ivanti Connect Secure and Ivanti Policy Secure products to conduct investigation and monitoring for potential compromise of systems. ASD’s ACSC recommends organisations monitor authentication, account usage and identity management services, and consider isolating systems from any enterprise resources as much as possible.”
In other words, the barn door that everyone thought was closed could well be wide open, and the horses are definitely bolting.
The two vulnerabilities were first discovered in early January, with multiple cyber security agencies releasing alerts over their exploitation.
CVE-2023-46805 is an authentication bypass vulnerability in earlier versions of Ivanti Connect Secure and Ivanti Policy Secure that can let a remote attacker bypass control checks and access restricted resources.
CVE-2024-21887 is a command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure that allows an authenticated administrator to send requests to, and execute arbitrary commands on, the device and can be exploited remotely via the internet.
However, Ivanti has now disclosed two further vulnerabilities overnight.
CVE-2024-21893 is a zero-day server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure ( versions 9.x and 22.x) and Ivanti Policy Secure (versions 9.x and 22.x) and Ivanti Neurons for ZTA. An attacker can use this to access restricted resources without authentication. According to Ivanti, this vulnerability has already been exploited “in a limited number of customer environments”.
CVE-2024-21888, however, is a privilege escalation bug in the web component of Ivanti Connect Secure (versions 9.x and 22.x) and Ivanti Policy Secure (versions 9.x and 22.x) that lets a user elevate its privileges to admin level.
Researchers at Rapid7 are taking the situation very seriously.
“Rapid7 urges customers who use Ivanti Connect Secure or Policy Secure to take immediate steps to apply the vendor-supplied patch and look for indicators of compromise,” said Rapid7’s Caitlin Condon in a blog post. “Like the ASD, CISA and others have also stressed the importance of immediate action and continuous threat hunting.”
UPDATE 01/02/24 12:43pm
The ACSC has just released details of patches for the following vulnerabilities, which were mentioned above:
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.