CISA - Active Exploitation Ivanti Connect Secure and Ivanti Policy Secure Gateways

CISA will be releasing a joint cybersecurity advisory (JCSA) regarding the active exploitation of recent vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways tomorrow (2/29).

Ahead of its publication, we are sharing the attached pre-release for your awareness (please hold at TLP:AMBER until final release). Note, TLP:AMBER information may be shared within a recipient’s organization and to a recipient’s customers, members, and/or clients.

The JCSA covers observations by CISA and co-sealers related to widespread compromise, including TTPs, IOCs, and detection methods to help network defenders mitigate risk. The JCSA also highlights findings related to Ivanti’s Integrity Checker Tools and regarding a threat actor’s ability to obtain root-level persistence despite issuing factory resets on a device (based on research and lab analysis).

We encourage all partners to review the information and mitigation guidance outlined, and let us know if you have any questions.