Ivanti can't seem to catch a break, as shortly after discovering and fixing two major flaws that were being exploited in the wild, a third emerged.
Like the previous two, this new threat also affects Ivanti's Connect Secure and Policy Secure VPN products.
It is tracked as CVE-2024-21893 and described as server-side request forgery. Ivanti published the finding of the flaw in late January of this year, along with another vulnerability that has not yet caught the attention of the hacking community.
A difficult start to the year
At the time, the company released a patch and said it was not aware of mass abuse. “We are only aware of a small number of customers who have been affected by CVE-2024-21893 at this time,” the company said in the advisory.
However, citing information from Shadowserver, ArsTechnica reported that the abuse has “grown” and surpassed that of CVE-2023-46805 and CVE-2024-21887, the two flaws hackers previously targeted.
It's been a rocky start to 2024 for Ivanti after it recently discovered two high-gravity faults being exploited in the wild.
At first, it released mitigations for the flaws and then released a patch, but shortly after publishing the findings, the US government's Cybersecurity and Infrastructure Security Agency (CISA) warned users about hackers actively exploiting the flaw and even advised government agencies to disconnect their Ivanti VPNs until they can fully rebuild them with the patch installed.
Researchers said at the time that the first two flaws were abused by Chinese state-sponsored threat actors. For the most recent vulnerability, it is not yet known who the perpetrators are, but it is safe to assume that they are the same people. What's more, endpoints protected against the first two flaws are vulnerable to the third, unless they apply the separately released patch.
While Rapid7 researchers published a proof of concept (PoC) late last week, it doesn't appear to have played a major role, as researchers saw an active exploit hours earlier.
