Over 13,000 Ivanti gateways vulnerable to actively exploited bugs


This year, Ivanti has disclosed several vulnerabilities impacting its Connect Secure, Policy Secure, and ZTA gateways. Tracked as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, these flaws range from high to critical in severity and pertain to a case of authentication bypass, server-side-request forgery, arbitrary command execution, and command injection. Several threat actors including nation-state actors have taken advantage of vulnerable instances susceptible to these flaws to gain access to restricted resources and deploy backdoors for persistent access. Despite patches being released by the vendor, thousands of Ivanti endpoints remain vulnerable to exploitation attacks.

Analyst Comments:
According to Akamai, activity targeting the latest flaw disclosed (CVE-2024-22024) has been initiated, peaking at 240,000 requests and 80 IP addresses attempting to send payloads on February 11, 2024. Furthermore, threat monitoring service Shadowserver which scans the internet for vulnerable endpoints, notes that more than 3,900 Ivanti instances are susceptible to CVE-2024-22024, the majority of which are located in the United States (1,262). As for the other flaws addressed this year, a Shodan scan reveals that 13,636 Ivanti servers have yet to apply patches for CVE-2024-21893, CVE-2024-21888, CVE-2023-46805, and CVE-2024-21887.

Suggested Corrections:
The development comes after CISA issued a notice mandating that organizations remove their appliances from their networks in light of the heightened exploitation attempts. For organizations that need to bring back their appliances online, it was recommended to reset these instances before applying the necessary patches released by Ivanti. Once complete, these appliances should be properly segmented and continuously monitored/scanned for possible signs of compromise.