Ivanti warns Connect Secure zero-days exploited by hackers

(Image credit: Shutterstock)

Ivanti is warning of hackers abusing two newly discovered vulnerabilities to take over vulnerable gateways.

Cybersecurity researchers from Mandiant and Volexity recently discovered two zero-day flaws: CVE-2023-46805 (authentication bypass), and CVE-2024-21887 (command injection vulnerability). 

These two flaws allow malicious unauthenticated individuals to run arbitrary commands on vulnerable endpoints via specially crafted requests, especially when chained together.

Remote access tools under assault

"If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system," Ivanti said.

At the moment, a patch isn’t available, but is in the works. In the meantime, the company is providing a method of mitigation. “It is critical that you immediately take action to ensure you are fully protected,” the company reiterated. "We are providing mitigation now while the patch is in development to prioritize the best interest of our customers.

According to Ivanti, the patches will be available in the coming weeks, "the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February." Until then, users are advised to import mitigation.release.20240107.1.xml file, which can be found on the company’s download portal.

The company also said that there is evidence of the two vulnerabilities being used in the wild to attack some customers. 

"We are aware of less than 10 customers impacted by the vulnerabilities. We are unable to discuss the specifics of our customers," it was said in the security advisory. "We have seen evidence of threat actors attempting to manipulate Ivanti's internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT.”

Volexity experts believe the attackers are of Chinese origin and that they are state-sponsored.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.