CISA and Partners Release Advisory on Threat Actors Exploiting Ivanti Connect Secure and Policy Secure Gateways Vulnerabilities
Today, CISA and the following partners released joint Cybersecurity Advisory Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways:
- Federal Bureau of Investigation (FBI)
- Multi-State Information Sharing & Analysis Center (MS-ISAC)
- Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment
- New Zealand National Cyber Security Centre (NCSC-NZ)
- CERT-New Zealand (CERT NZ)
The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. Additionally, the advisory describes two key CISA findings:
- The Ivanti Integrity Checker Tool is not sufficient to detect compromise due to the ability of threat actors to deceive it, and
- A cyber threat actor may be able to gain root-level persistence despite the victim having issued factory resets on the Ivanti device.
The advisory provides cyber defenders with detection methods and indicators of compromise (IOCs) as well as mitigation guidance to defend against this activity. Note: As exploitation is ongoing as of publication of this advisory, CISA will provide updates to the Additional Resources list below as they are made available.
CISA and its partners urge cyber defenders to review this advisory and consider the significant risk of cyber threat actor access to, and persistence on Connect Secure and Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.
Additional Resources
- Organizations using these devices should assume a threat actor is maintaining persistence and lying dormant for a period before conducting malicious actions. For more on this specific technique, see Identifying and Mitigating Living Off the Land Techniques.
- CISA has issued Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities as well as corresponding Supplemental Direction to ED 24-01 to federal agencies.
- IBM: Widespread exploitation of recently disclosed Ivanti vulnerabilities
- Akamai: Scanning Activity for CVE-2024-22024 (XXE) Vulnerability in Ivanti
- Rapid7 AttackerKB: CVE-2024-21893, CVE-2024-21887, CVE-2024-22024, CVE-2023-46805
- Orange Cyberdefense: Ivanti Connect Secure: Journey to the core of the DSLog backdoor
- Volexity: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
- WatchTowr: Ivanti Connect Secure CVE-2024-22024 – Are We Now Part Of Ivanti?
- Mandiant: Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation, Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation, Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
- Grey Noise: Ivanti Connect Secure Exploited to Install Cryptominers
- Ivanti: KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Palo Alto Networks Unit 42: Threat Brief: Multiple Ivanti Vulnerabilities
- GitHub: CSIRTs Network – Exploitation of Ivanti Connect Secure and Ivanti Policy Secure Gateway Zero-Days
