Ivanti, a Utah-based IT software firm, is grappling with challenges in adhering to its promised timeline for delivering patches addressing critical vulnerabilities in its Connect Secure VPN appliances. Originally set for a staggered release starting January 22, the company cited testing and quality issues as reasons for delays. The updated advisory stated a new target release for patches for Ivanti Connect Secure, Ivanti Policy Secure, and ZTA versions, cautioning that the timing remains subject to change. This setback follows revelations that a Chinese government-backed hacking team exploited two Ivanti zero-day vulnerabilities, emphasizing the urgency for prompt fixes to prevent further cybersecurity threats.
The delayed patches pose a significant challenge, particularly in light of the strict deadlines set by the US government’s cybersecurity agency CISA for Federal Civilian Executive Branch (FCEB) agencies to apply available fixes. The CISA emergency directive mandated agencies to deploy fixes starting January 22, highlighting the gravity of the situation. The absence of official fixes complicates matters for affected organizations, with CISA calling for the removal of compromised products from networks and detailed reporting on infected devices. Ivanti has released temporary mitigations, but the delays in permanent updates may hinder swift cybersecurity responses, leaving organizations vulnerable to potential exploitation.
