The PoC for CVE-2024-21893 worsened the situation, with about 22,500 devices affected.
The massive exploitation of a vulnerability in the Ivanti Connect Secure and Policy Secure servers, identified as CVE-2024-21893, is causing alarm among cybersecurity experts. This major flaw affects software versions 9. x and 22. x, allowing attackers to bypass authentication and gain access to the limited resources of vulnerable devices.
The first warning from Ivanti was issued on January 31, when the vulnerability received a "zero-day" status due to limited active exploitation affecting a small number of customers.
Now, according to the Shadowserver threat monitoring service, the vulnerability is actively used by intruders. Experts recorded attempts to exploit it from 170 unique IP addresses. The volume of attacks on this vulnerability significantly exceeds the activity on other recently fixed Ivanti issues, which indicates a clear change of focus by the attackers.
On February 2, researchers at Rapid7 made a PoC exploit publicly available, which no doubt also contributed to an increase in the number of attacks. Although Shadowserver notes that methods similar to the published ones were also used by attackers a few hours before the Rapid7 report was released. This indicates that hackers themselves have already found ways to use CVE-2024-21893 for unlimited access without authentication to Ivanti's vulnerable points.
To date, researchers have found almost 22,500 Ivanti Connect Secure devices accessible from the Internet. However, it is not known for certain how many of them are actually exposed to the actively exploited vulnerability.
Ivanti's disclosure of CVE-2024-21893 was accompanied by the release of security updates for two other zero-day vulnerabilities affecting the same products. These security flaws were exploited by a group of Chinese spies to install web shells and backdoors on compromised devices. The peak of infections occurred in mid-January.
Due to the active exploitation of several critical zero-day vulnerabilities, the lack of effective protection tools and security updates for some product versions, the CISA agency even ordered US federal agencies to disable all Ivanti Connect Secure and Policy Secure VPN devices. Devices can only be reconnected to the network after a factory reset and updating to the latest firmware version.
The recommendation also applies to private organizations, which should pay close attention to the security of their Ivanti systems and the general trust in their network environment.
The massive exploitation of a vulnerability in the Ivanti Connect Secure and Policy Secure servers, identified as CVE-2024-21893, is causing alarm among cybersecurity experts. This major flaw affects software versions 9. x and 22. x, allowing attackers to bypass authentication and gain access to the limited resources of vulnerable devices.
The first warning from Ivanti was issued on January 31, when the vulnerability received a "zero-day" status due to limited active exploitation affecting a small number of customers.
Now, according to the Shadowserver threat monitoring service, the vulnerability is actively used by intruders. Experts recorded attempts to exploit it from 170 unique IP addresses. The volume of attacks on this vulnerability significantly exceeds the activity on other recently fixed Ivanti issues, which indicates a clear change of focus by the attackers.
On February 2, researchers at Rapid7 made a PoC exploit publicly available, which no doubt also contributed to an increase in the number of attacks. Although Shadowserver notes that methods similar to the published ones were also used by attackers a few hours before the Rapid7 report was released. This indicates that hackers themselves have already found ways to use CVE-2024-21893 for unlimited access without authentication to Ivanti's vulnerable points.
To date, researchers have found almost 22,500 Ivanti Connect Secure devices accessible from the Internet. However, it is not known for certain how many of them are actually exposed to the actively exploited vulnerability.
Ivanti's disclosure of CVE-2024-21893 was accompanied by the release of security updates for two other zero-day vulnerabilities affecting the same products. These security flaws were exploited by a group of Chinese spies to install web shells and backdoors on compromised devices. The peak of infections occurred in mid-January.
Due to the active exploitation of several critical zero-day vulnerabilities, the lack of effective protection tools and security updates for some product versions, the CISA agency even ordered US federal agencies to disable all Ivanti Connect Secure and Policy Secure VPN devices. Devices can only be reconnected to the network after a factory reset and updating to the latest firmware version.
The recommendation also applies to private organizations, which should pay close attention to the security of their Ivanti systems and the general trust in their network environment.
