A critical server-side request forgery (SSRF) vulnerability affecting Ivanti Connect Secure and Policy Secure products has become the target of widespread exploitation, according to reports from the Shadowserver Foundation. Exploitation attempts have been observed from over 170 unique IP addresses, with attackers aiming to establish reverse shells among other malicious activities. The vulnerability, tracked as CVE-2024-21893, enables attackers to access restricted resources without authentication via the SAML component, significantly amplifying the risk for affected systems. Despite Ivanti’s previous disclosure of targeted attacks against a limited number of customers, the situation has escalated following public disclosure, particularly with the release of a proof-of-concept exploit by cybersecurity firm Rapid7.
Notably, the exploit chain combines CVE-2024-21893 with a previously patched command injection flaw (CVE-2024-21887) to achieve unauthenticated remote code execution. This development underscores the severity of the vulnerability and the urgency for Ivanti to mitigate the risk. Security researcher Will Dormann has also highlighted the presence of other out-of-date open-source components in Ivanti VPN appliances, potentially exposing them to further attacks. In response to the escalating threat landscape, Ivanti has released a second mitigation file and has initiated the rollout of official patches to address all vulnerabilities as of February 1, 2024.
Meanwhile, threat actors are leveraging the vulnerabilities, including CVE-2023-46805 and CVE-2024-21887, to deploy custom web shells identified as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE, as revealed by Google-owned Mandiant. Additionally, Palo Alto Networks Unit 42 has observed a significant number of exposed Ivanti Connect Secure and Policy Secure instances globally, with thousands of instances detected in various countries, highlighting the widespread impact and urgency for remediation efforts. This escalation underscores the critical importance of prompt patching and proactive security measures to mitigate the risk posed by these vulnerabilities.
