Another serious Ivanti vulnerability has been found under attack, so update now

VPN and Remote Desktop
(Image credit: Pixabay)

Ivanti can’t seem to catch a break, as soon after discovering and patching two major flaws that were being exploited in the wild, a third one emerged.

Just like the previous two, this new threat also affects Ivanti’s Connect Secure and Policy Secure VPN products, 

It’s tracked as CVE-2024-21893, and is described as a server-side request forgery. Ivanti published finding the flaw in late January this year, together with another vulnerability that hasn’t yet caught the hacking community’s attention.

A rocky start to the year

At the time, the company released a patch, and said it wasn’t aware of mass abuse. “We are only aware of a small number of customers who have been impacted by CVE-2024-21893 at this time,” the company said in the advisory. 

However, citing information from Shadowserver, ArsTechnica reported that the abuse has “mushroomed” and exceeded that of CVE-2023-46805 and CVE-2024-21887, the two flaws hackers previously targeted. 

It’s been a rocky start to 2024 for Ivanti after it recently discovered two high severity flaws that were being exploited in the wild. 

At first, it released mitigations for the flaws, and later released a patch, but soon after publishing the findings, the US Government's Cybersecurity and Infrastructure Security Agency (CISA) warned users of hackers actively exploiting the flaw and even advised government agencies to disconnect their Ivanti VPNs until they are able to completely rebuild them with the patch installed. 

The first two flaws were abused by Chinese state-sponsored threat actors, the researchers said at the time. For the newest vulnerability, there is still no word on who the perpetrators are, but it’s safe to assume the same people. What’s more, endpoints protected against the first two flaws are vulnerable to the third one, unless they apply the separately-published patch.

While researchers from Rapid7 released a Proof-of-Concept (PoC) late last week, it doesn’t seem that it played a significant role, as researchers saw active exploitation hours earlier.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.