Ivanti reports actively exploited vulnerabilities in Connect Secure (ICS) VPN and Policy Secure (IPS) access control
Take action: Another Ivanti exercise, this becomes almost like patching Windows. This time patching is an urgent effort, the vulnerabilities are actively exploited and the vulnerable devices are visible on the internet per their design.
Learn More
Ivanti has disclosed two actively exploited zero-day vulnerabilities in its Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products, which have been actively exploited in the wild.
- The first vulnerability, CVE-2023-46805 (CVSS score 8.2), is an authentication bypass flaw in the web component of these gateways, allowing attackers to access restricted resources by bypassing control checks.
- The second vulnerability, CVE-2024-21887 (CVSS score 9.1), is a command injection vulnerability that permits authenticated administrators to execute arbitrary commands on vulnerable appliances via specially crafted requests.
When combined, these vulnerabilities enable unauthenticated attackers to execute arbitrary commands on all supported versions of the impacted products.
These security issues have already been exploited in targeted attacks against a small number of customers. Volexity, a threat intelligence company, identified the attacker as a likely Chinese state-backed threat actor and noted the use of the GLASSTOKEN webshell for maintaining network access after initial compromise.
Ivanti has released mitigation measures and is developing patches, with the first version of patches expected to be available in late January and the final version by mid-February. Customers are advised to apply these mitigations immediately to protect against these vulnerabilities.
