Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues, some of which were disclosed over a month ago but have yet to be fully patched by the vendor. These vulnerabilities, ranging from high to critical severity, include authentication bypass, server-side-request forgery, arbitrary command execution, and command injection problems. While some have been exploited by nation-state actors and subsequently leveraged by a broader range of threat actors, others, like the XXE vulnerability in the SAML component (CVE-2024-22024), are being actively targeted by scanning activities.
Despite the urgency communicated by security experts, a significant number of Ivanti endpoints continue to operate without the necessary patches or mitigations. For instance, CVE-2024-22024, a critical XXE vulnerability, has led to scanning activity targeting vulnerable systems. The situation is further exacerbated by the discovery that more than half of the internet-exposed Ivanti servers remain unpatched, leaving organizations vulnerable to potential exploitation and data breaches.
Notably, the disclosure timeline for these vulnerabilities has left administrators with limited time to prepare and apply patches, complicating remediation efforts. As a result, the risk of prolonged exposure to exploitation persists, providing threat actors with a substantial pool of potential targets. The urgent need for organizations to prioritize patching or mitigation measures cannot be overstated, given the serious consequences of unauthorized access and data compromise associated with these vulnerabilities.
