Ivanti tried to patch its VPN security flaws — but just found more problems

VPN and Remote Desktop
(Image credit: Pixabay)

While looking to patch two high-severity flaws in a VPN solution being abused in the wild, Ivanti found two more - one of which, it seems, is already known to some threat actors.

In early January 2024, Ivanti said it uncovered and patched two vulnerabilities found in its Connect Secure VPN products. Tracked as CVE-2023-46805 and CVE-2024-21887 and could have been used, the vulnerabilities, researchers were saying at the time, were being used to break into vulnerable networks and steal sensitive data. 

Two weeks later, Ivanti urged users to apply the proposed workaround immediately as evidence started emerging of in-the-wild abuse, mostly by Chinese state-sponsored threat actors.

Multiple compromised systems

A patch was in the works - but as Ivanti set out to patch the flaws, it said it found two more lurking in Connect Secure VPN, TechCrunch reports. 

One is CVE-2024-21888, described as a privilege escalation flaw. The latter, a zero-day, is a server-side vulnerability enabling hackers to access restricted resources, unauthenticated. The company is also warning that the latter is being used in “targeted” attacks.

In its writeup, TechCrunch also said that Germany’s Federal Office for Information Security was also aware of “multiple compromised systems” and that all previously patched systems were at risk of the server-side bug.

While Ivanti isn’t pointing any fingers, both Volexity and Mandiant said that the previous two flaws were being used by Chinese state-sponsored threat actors. Ivanti and independent researchers also don’t seem to be seeing eye-to-eye on the number of victims, as well. While Ivanti claims that fewer than 20 of its customers were affected by the bug (up from previously claimed 10), Volexity puts that number at 1,700, at least. Even CISA weighed in recently, urging all federal agencies to apply the patch immediately, due to evidence of the flaws being used by hackers.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.