On February 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), supported by a coalition of international partners, published a cybersecurity advisory highlighting vulnerabilities inherent in Ivanti Connect Secure and Policy Secure gateways. The advisory identifies that cyber threat actors are actively exploiting multiple vulnerabilities, putting numerous organizations at risk.
Participating entities in this advisory include noted cybersecurity agencies such as CERT-New Zealand, the Canadian Centre for Cyber Security, and the United Kingdom's National Cyber Security Centre. Each of these organizations recognizes the potential consequences stemming from these security flaws.
The vulnerabilities detailed in the advisory include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. These issues allow hackers to bypass authentication, generate malicious requests, and execute arbitrary commands with elevated privileges. "We have seen a concerning trend where these vulnerabilities can be exploited in a chain, potentially leading to significant security breaches," said a CISA spokesperson.
"We have seen a concerning trend where these vulnerabilities can be exploited in a chain, potentially leading to significant security breaches,"
Among the alarming findings reported by CISA is the potential for a cyber threat actor to gain root-level persistence on compromised Ivanti devices, even if the victim has performed factory resets. "This persistence despite factory resets is particularly troubling for organizations that believe they are protected after a reset," noted a cybersecurity analyst familiar with the advisory.
"This persistence despite factory resets is particularly troubling for organizations that believe they are protected after a reset,"
Furthermore, the advisory warns that the Ivanti Integrity Checker Tool is not entirely reliable for detecting breaches due to the sophistication with which cyber actors may disguise their activities. "We must emphasize the need for more robust detection methods, as the existing tools may not be sufficient," said the spokesperson from CISA.
"We must emphasize the need for more robust detection methods, as the existing tools may not be sufficient,"
CISA’s advisory acts as a call to action, urging cybersecurity defenders to consider the implications of continuing to operate these vulnerable gateways in enterprise environments. "Organizations must weigh the risks of these vulnerabilities against their operational needs," the analyst stated.
"Organizations must weigh the risks of these vulnerabilities against their operational needs,"
Cybersecurity experts recommend that organizations remain vigilant in reviewing their security posture and understanding the indicators of compromise (IOCs) associated with these threats. "There's a pressing need for companies to adopt the mitigation strategies outlined in the advisory to protect their infrastructures," advised a member from the FBI’s Cyber Division.
"There's a pressing need for companies to adopt the mitigation strategies outlined in the advisory to protect their infrastructures,"
As the threat is ongoing and evolving, CISA and its partners will continue to monitor the situation and provide updates. "We are committed to keeping the cybersecurity community informed about these vulnerabilities and their implications for organizations worldwide," reiterated a CISA representative.
"We are committed to keeping the cybersecurity community informed about these vulnerabilities and their implications for organizations worldwide,"
This advisory underscores the urgency of addressing the vulnerabilities present in Ivanti's systems. As cyber threats continue to adapt and exploit weaknesses, organizations must prioritize their cybersecurity defenses to safeguard against potential exploits.
