Ivanti, in a recent advisory, has cautioned administrators about a critical vulnerability affecting VPN appliances if new device configurations are pushed after applying mitigations. This vulnerability arises from a known race condition during configuration pushes, causing a disruption in web services and rendering applied mitigations ineffective. The warning follows CISA’s issuance of an emergency directive instructing U.S. agencies to promptly apply mitigations for two zero-day flaws in Ivanti Connect Secure and Policy Secure, which have been exploited in widespread attacks since December.
The Ivanti ICS and IPS appliances have become targets in large-scale attacks, leveraging the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities. These exploits allow threat actors to move laterally within compromised networks, collect and exfiltrate data, and establish persistent access by deploying backdoors. Although security patches are pending, Ivanti has provided mitigation measures to thwart attack attempts and recovery instructions for impacted appliances.
The advisory emphasizes that administrators should refrain from pushing configurations until the appliance is patched, ensuring the continued efficacy of mitigations. The global threat landscape surrounding these vulnerabilities is evident, with thousands of exposed ICS VPN appliances being actively monitored. Threat intelligence reveals ongoing compromises, with attackers deploying webshells, cryptocurrency miners, and other malicious payloads on compromised devices, affecting entities across various sectors, including government, military, telecom, defense, technology, banking, finance, and aerospace.
