Security researchers have said that two zero-days in Ivanti Connect Secure VPN, discovered about a week ago, are now being massively exploited by threat actors.
In a blog post, cybersecurity researchers at Volexity (who first discovered the flaws alongside Mandiant) claim to have observed evidence of massive exploitation. This includes more than 1,700 Ivanti Connect Secure devices worldwide that fell victim to different threat actors.
Victims appear to be targeted indiscriminately, as they include both small businesses and some of the largest organizations in the world, operating in different industries, including aerospace, banking, defense and government.
There is no patch yet
“Victims are distributed globally and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple verticals,” Volexity said.
While 1,700 is a large number, Volexity maintains that the real number is even higher, because some data shows more than 17,000 Ivanti VPN endpoints potentially vulnerable and connected to the Internet.
The massive exploitation began a day after the vulnerabilities were made public. TechCrunch reports, quoting Ivanti. The company reportedly said the massive attacks began on January 11, a day after Ivanti reported the flaws. The flaws are tracked as CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection vulnerability).
They allow unauthenticated malicious individuals to execute arbitrary commands on vulnerable endpoints through specially crafted requests, especially when chained. “If CVE-2024-21887 is used in conjunction with CVE-2023-46805, the exploit does not require authentication and allows a threat actor to create malicious requests and execute arbitrary commands on the system,” Ivanti said.
There is no patch available yet, the company noted, adding that it should begin rolling out on January 22.
In the meantime, businesses should apply the mitigation measures you provided, which can be found at this link.
