Ivanti has issued a warning about two critical vulnerabilities affecting Connect Secure, Policy Secure, and ZTA gateways, with one identified as a zero-day flaw (CVE-2024-21893) currently under active exploitation. This server-side request forgery vulnerability in the gateways’ SAML component enables attackers to bypass authentication and gain unauthorized access to restricted resources. A second flaw (CVE-2024-21888) in the gateways’ web component allows threat actors to escalate privileges to administrator levels. Ivanti has released security patches for some affected versions and provided mitigation instructions for devices awaiting a patch, emphasizing the urgency for users to take immediate action for full protection.
In addition to the newly discovered vulnerabilities, Ivanti has also released patches for two zero-days disclosed in early January—an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887). These zero-days have been actively exploited in widespread attacks targeting ICS, IPS, and ZTA gateways since January 11. CISA issued an emergency directive (ED 24-01), ordering federal agencies to mitigate these zero-day flaws immediately in response to mass exploitation by multiple threat actors. The vulnerabilities, when chained, allow attackers to move laterally within networks, steal data, and establish persistent access by deploying backdoors.
The victims of these extensive attacks include government and military organizations worldwide, national telecom companies, defense contractors, banking and finance institutions, accounting organizations, aerospace, aviation, and tech firms. Various-sized entities, from small businesses to Fortune 500 companies, have been affected. Mandiant identified five custom malware strains used in the attacks, aiding threat actors in stealing credentials, deploying webshells, and delivering additional malicious payloads. Volexity and GreyNoise observed attackers deploying XMRig cryptocurrency miners and Rust-based malware payloads on compromised systems, underscoring the severity and diversity of the ongoing cyber threats.