Ivanti shows no signs of catching a break. Shortly after he discovered and patched two major flaws that were being exploited in the wild, a third flaw appeared.
Like the previous two threats, this new threat also affects Ivanti's Connect Secure and Policy Secure VPN products.
This is being tracked as CVE-2024-21893 and is described as server-side request forgery. Ivanti announced the discovery of this flaw in late January of this year, along with another vulnerability that has not yet attracted the attention of the hacking community.
An eventful start to this year
At the time, the company released a patch but said it was not aware of any collective abuse. “At this time, we are only aware of a small number of customers affected by CVE-2024-21893,” the company said in its advisory.
However, ArsTechnica, citing information from Shadowserver, reported that the exploit has “mushroomed” and surpassed CVE-2023-46805 and CVE-2024-21887, two flaws previously targeted by hackers. .
It's been a rocky start to 2024 for Ivanti, as we recently discovered two high-severity flaws that are being exploited in the wild.
Initially, the company released mitigations and later patches for the flaw, but shortly after publishing its findings, the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) announced that the flaw was being actively exploited. It warned users of the hackers and advised government agencies to disconnect them from their networks. Ivanti VPN will last until you can install patches and completely rebuild it.
The first two flaws were exploited by Chinese state-sponsored threat actors, researchers said at the time. The identity of the culprit behind the latest vulnerability is still unknown, but it's safe to assume it's the same person. Additionally, endpoints that are protected from the first two flaws become vulnerable to the third flaw unless a separately published patch is applied.
Rapid7 researchers announced a proof of concept (PoC) late last week, but it doesn't appear to have played a significant role, as researchers had seen an active exploit hours earlier.