CISA warned U.S. federal agencies to secure their networks against attacks exploiting three critical vulnerabilities affecting Ivanti Endpoint Manager (EPM) appliances. Since the start of 2025, a suspected China-nexus espionage actor (tracked as UNC5221) also targeted Ivanti Connect Secure VPN appliances, infecting them with new Dryhook and Phasejam malware following successful remote code execution zero-day attacks. In January, CISA and the FBI cautioned that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks. Multiple other Ivanti vulnerabilities have been exploited as zero-days over the last year in widespread attacks targeting the company's VPN appliances and ICS, IPS, and ZTA gateways. Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 31, to secure their systems against ongoing attacks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021. Ivanti has not yet updated its security advisory after CISA tagged the vulnerabilities as actively exploited in attacks. On Monday, CISA added the three vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security flaws the cybersecurity agency has marked as exploited in the wild. Just over a month later, Horizon3.ai also released proof-of-concept exploits that can be used in relay attacks for unauthenticated coercion of the Ivanti EPM machine credentials. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." CISA said.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 11 Mar 2025 13:05:07 +0000