Experts warn of mass exploitation of Ivanti Connect Secure VPN flaws

Experts warn that recently disclosed Ivanti Connect Secure VPN and Policy Secure vulnerabilities are massively exploited in the wild.

Last week, software firm Ivanti reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

The company is providing mitigation and confirmed it is working on the development of a security patch.

The final patches will be available from 19 February.

Volexity researchers observed threat actors actively exploiting the two zero-days in the wild. In December 2023, Volexity investigated an attack where an attacker was placing webshells on multiple internal and external-facing web servers.

“Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers.” reads the analysis published by Volexity.” reads the analysis published by Volexity. “Most notably, Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance. These two vulnerabilities have been assigned the following CVEs:

  • CVE-2023-46805 – an authentication-bypass vulnerability with a CVSS score of 8.2
  • CVE-2024-21887 – a command-injection vulnerability found into multiple web components with a CVSS score of 9.1″

Since its first report, Volexity researchers have received many reports from organizations worldwide that found signs of compromise by way of mismatched file detections. The security firm also developed “a way to scan devices” to look for indicators of compromise. Volexity confirmed that the exploitation of these vulnerabilities is now widespread, it has found evidence of compromise of over 1,700 devices worldwide.

Ivanti Connect Secure VPN

The researchers also reported that threat actors tracked as UTA0178 (aka UNC5221) are actively exploiting the vulnerabilities and are actively trying to exploit devices.

Targets span across the globe, they include both small businesses and large organizations. The list of targets includes multiple Fortune 500 companies operating in various industry sectors, such as:

  • Global government and military departments
  • National telecommunications companies
  • Defense contractors
  • Technology firms
  • Banking, finance, and accounting institutions
  • Worldwide consulting services
  • Aerospace, aviation, and engineering entities

“Investigations of newly found compromised devices showed they had been backdoored with a slightly different variant of the GIFTEDVISITOR webshell documented in the “visits.py modification – GIFTEDVISITOR” section of Volexity’s recent blog post. The attacker used an identical webshell to that observed in the first incident investigated by Volexity, but they replaced the AES key used with a truncated UUID string.” reads the update provided by Volexity.

The analysis of logs from various ICS VPN appliances revealed likely attempted exploitation by other threat actors, with noticeably poorer operational security than UTA0178.

Volexity has also observed suspected exploitation attempt from another threat actor tracked as UTA0188.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti Connect Secure VPN flaws)