Ivanti VPN zero-day flaws are now being attacked en masse

VPN and Remote Desktop
(Image credit: Pixabay)

Two zero-days in Ivanti Connect Secure VPN, discovered roughly a week ago, are now being massively exploited by threat actors, security researchers have said. 

In a blog post, cybersecurity researchers from Volexity (who first discovered the flaws together with Mandiant) claim to have observed evidence of mass exploitation. That includes more than 1,700 Ivanti Connect Secure appliances worldwide that fell prey to different threat actors. 

The victims seem to be targeted indiscriminately, as they include both small businesses and some of the world’s largest organizations, operating in different industries including aerospace, banking, defense, and government.

No patch yet

“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” said Volexity. 

While 1,700 is a large number, Volexity argues that the actual number is even bigger, because some data shows more than 17,000 internet-connected, potentially vulnerable Ivanti VPN endpoints

The mass exploitation started a day after the vulnerabilities were publicized, TechCrunch reports, citing Ivanti. The company apparently said that mass hacks started on January 11, a day after Ivanti reported on the flaws. The flaws are tracked as CVE-2023-46805 (authentication bypass), and CVE-2024-21887 (command injection vulnerability). 

They allow malicious unauthenticated individuals to run arbitrary commands on vulnerable endpoints via specially crafted requests, especially when chained together. "If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system," Ivanti said.

A patch is not yet available, the company noted, adding that it should start rolling it out on January 22.

In the meantime, businesses should apply the mitigation measures it provided, which can be found on this link.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.