Ivanti reported five vulnerabilities in its VPN service. They are tracked under CVE-2024-21888, CVE-2024-21893, CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. The latter is actively exploited by numerous attackers, since there is a publicly available attack scenario.
Ivanti initially reported that its Connect Secure VPN service had vulnerabilities CVE-2023-46805 and CVE-2024-21887. This service is used by many public and private organizations around the world – employees of corporations, banks, educational and medical institutions connect to a virtual network and enter the internal systems of organizations while away from the offices. According to the company, these vulnerabilities have been exploited since December by hackers linked to the Chinese government to hack into its customers’ networks and steal data. Ivanti subsequently added that there are two more Connect Secure vulnerabilities known as CVE-2024-21888 and CVE-2024-21893.
Third-party cybersecurity experts added that there is another vulnerability in the Ivanti VPN service – it is registered under the number CVE-2024-21893. The developer has fixed all the errors, but the latest vulnerability continues to be widely used by various attackers, and the number of incidents related to it will continue to grow, since the exploit code is publicly available, and not all clients have updates installed. Last week, the non-profit organization Shadowserver Foundation recorded 170 IP addresses from which attempts were made to exploit this vulnerability, and the day before their number exceeded 630. Moreover, if last week 22,500 Ivanti Connect Secure devices connected to the Internet were monitored, by now 20,800 remain, and it is unknown how many of them are vulnerable to hacking.
Ivanti did not comment on reports that the vulnerability was being massively exploited, but the company also did not dispute Shadowserver’s findings. Notably, Ivanti has not yet rolled out the update to all customers. A few days earlier, the US Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal agencies to shut down all Ivanti client systems within two days, citing “serious threat”associated with an exploitable vulnerability.