Two Ivanti Zero-Days Actively Exploited in the Wild

Ivanti customers have been urged to follow the security vendor's suggested workaround after it confirmed that two zero-day vulnerabilities in its Connect Secure and Policy Secure gateways are being actively exploited.
Connect Secure is a VPN product while Policy Secure is a network access control solution.
Security vendor Volexity yesterday claimed that a Chinese state actor tracked as UTA0178 was behind the attacks.
It said the group may have been exploiting CVE-2023-46805 and CVE-2024-21887 as far back as December 3 2023 to place webshells on victim organizations' internal and external-facing web servers.
The zero-day vulnerabilities affect all supported versions of Ivanti Connect Secure, formerly known as Pulse Connect Secure, and Ivanti Policy Secure gateways.
CVE-2023-46805 is an authentication bypass vulnerability in the web component of the two products that allows remote attackers to access restricted resources by bypassing control checks, Ivanti said in an advisory.
CVE-2024-21887 is a command injection vulnerability in the web components of the products which allows an authenticated administrator to send specially crafted requests which execute arbitrary commands on the appliance.
It can be exploited over the internet and is given a CVSS score of 9.1.
The two can be chained to potentially devastating effect.
Action1 president and co-founder, Mike Walters, claimed that a Shodan search reveals around 15,000 Ivanti devices currently exposed online.
Patches will not be available until the week of January 22, and even then Ivanti is releasing them in a staggered schedule according to product version.
In the meantime, it has released a series of mitigation steps that customers are urged to follow immediately.
Ivanti products have previously been exploited by suspected Chinese state hackers.
In July, they targeted CVE-2023-35078 and CVE-2023-35081 in the firm's Endpoint Manager Mobile product to compromise several Norwegian government agencies.
In April 2021, prior to Ivanti's acquisition of Pulse Secure, Chinese hackers exploited another critical zero-day bug in the Pulse Connect Secure product.

This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 11 Jan 2024 09:30:29 +0000

Cyber News related to Two Ivanti Zero-Days Actively Exploited in the Wild

Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
7 months ago Securityaffairs.com

New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
6 months ago Securityaffairs.com

Ivanti Connect Secure zero-days now under mass exploitation - Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control appliances are now under mass exploitation. As discovered by threat intelligence company Volexity, which also first spotted the zero-days ...
11 months ago Bleepingcomputer.com

Ivanti: VPN appliances vulnerable if pushing configs after mitigation - Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities. While the company didn't provide additional ...
11 months ago Bleepingcomputer.com

Ivanti warns of Connect Secure zero-days exploited in attacks - Ivanti has disclosed two Connect Secure and Policy Secure zero-days exploited in the wild that can let remote attackers execute arbitrary commands on targeted gateways. The first security flaw is an authentication bypass in the gateways' web ...
11 months ago Bleepingcomputer.com

Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 - On Jan. 10, 2024, Ivanti disclosed two new vulnerabilities in their Ivanti Connect Secure and Ivanti Policy Secure gateways: CVE-2023-46805 and CVE-2024-21887. The first CVE is a High severity authentication bypass vulnerability, and the second CVE ...
11 months ago Unit42.paloaltonetworks.com

Ivanti discloses new zero-day flaw, releases delayed patches - Ivanti Wednesday released patches for two critical zero-day vulnerabilities that were disclosed earlier this month, but also warned customers of two new flaws, including a new zero-day that's under exploitation in the wild. In a security advisory on ...
11 months ago Techtarget.com

Sav-Rx data breach impacted over 2.8 million individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks. Microsoft fixed two zero-day bugs exploited in malware ...
7 months ago Securityaffairs.com

Ivanti discloses fifth vulnerability The Register - In disclosing yet another vulnerability in its Connect Secure, Policy Secure, and ZTA gateways, Ivanti has confused the third-party researchers who discovered it. Researchers at watchTowr blogged today about not being credited with the discovery of ...
10 months ago Go.theregister.com

CISA confirms compromise of its Ivanti systems - CISA confirmed two of its internal systems were breached by a threat actor that exploited flaws in Ivanti products used by the U.S. cybersecurity agency. Ivanti on Jan. 10 disclosed two zero-day vulnerabilities that were under exploitation by a ...
9 months ago Techtarget.com

newsletter Round 473 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
7 months ago Securityaffairs.com

Healthcare firm WebTPA data breach impacted 2.5M individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach ...
7 months ago Securityaffairs.com

Ivanti: Patch new Connect Secure auth bypass bug immediately - Today, Ivanti warned of a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to secure their appliances immediately. The flaw is due to an XXE weakness in the gateways' SAML component that ...
10 months ago Bleepingcomputer.com

Apple fixes two new iOS zero-days in emergency updates - Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may ...
1 year ago Bleepingcomputer.com

China-backed attackers blamed for Ivanti zero-day exploits The Register - Security experts believe Chinese nation-state attackers are actively exploiting two zero-day vulnerabilities in security products made by Ivanti. If you're an admin or a user of the two products affected, VPN service Ivanti Connect Secure and network ...
11 months ago Go.theregister.com

Ivanti confirms 2 zero-day vulnerabilities are under attack - CISA urged enterprises to address two Ivanti zero-day vulnerabilities that remain unpatched amid reports of active exploitation by a Chinese nation-state threat actor. Ivanti published a security advisory Wednesday for an authentication bypass ...
11 months ago Techtarget.com

CISA: Critical Ivanti auth bypass bug now actively exploited - CISA warns that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile and MobileIron Core device management software is now under active exploitation. Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API ...
11 months ago Bleepingcomputer.com

Two Ivanti Zero-Days Actively Exploited in the Wild - Ivanti customers have been urged to follow the security vendor's suggested workaround after it confirmed that two zero-day vulnerabilities in its Connect Secure and Policy Secure gateways are being actively exploited. Connect Secure is a VPN product ...
11 months ago Infosecurity-magazine.com

newsletter Round 474 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Critical Fortinet's ...
7 months ago Securityaffairs.com

North Korean Kimsuky used a new Linux backdoor in recent attacks - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 ...
7 months ago Securityaffairs.com

Impact of Remote Work and Cloud Migrations on Security Perimeters - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
7 months ago Securityaffairs.com

New ATM Malware family emerged in the threat landscape - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Raspberry Robin spotted using two ...
7 months ago Securityaffairs.com

Russia's Midnight Blizzard stole email of more Microsoft customers - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities ...
6 months ago Securityaffairs.com

newsletter Round 478 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. BianLian group exploits ...
6 months ago Securityaffairs.com

Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
11 months ago Darkreading.com

Latest Cyber News

CVE-2025-22214 - 10 hours ago
CVE-2024-56829 - 10 hours ago
CVE-2025-0168 - 1 day ago
CVE-2024-11846 - 1 day ago
CVE-2024-56020 - 1 day ago
CVE-2024-56021 - 1 day ago
CVE-2024-23436 - 1 day ago
CVE-2024-23437 - 1 day ago
CVE-2024-23438 - 1 day ago
CVE-2024-23420 - 1 day ago
CVE-2024-23421 - 1 day ago
CVE-2024-23422 - 1 day ago
CVE-2024-23423 - 1 day ago
CVE-2024-23424 - 1 day ago
CVE-2024-23425 - 1 day ago
CVE-2024-23426 - 1 day ago
CVE-2024-23427 - 1 day ago
CVE-2024-23428 - 1 day ago
CVE-2024-23429 - 1 day ago
CVE-2024-23430 - 1 day ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

CVE-2024-11846 - 1 day ago
CVE-2025-0168 - 1 day ago
CVE-2024-56829 - 10 hours ago
CVE-2025-22214 - 10 hours ago
CVE-2024-45497 - 2 days ago
CVE-2024-13067 - 2 days ago
CVE-2024-49422 - 2 days ago
CVE-2024-56211 - 2 days ago
CVE-2024-56212 - 2 days ago
CVE-2024-56213 - 2 days ago
CVE-2024-56214 - 2 days ago
CVE-2024-56216 - 2 days ago
CVE-2024-56218 - 2 days ago
CVE-2024-56220 - 2 days ago
CVE-2024-56222 - 2 days ago
CVE-2024-56229 - 2 days ago
CVE-2024-56230 - 2 days ago
CVE-2024-56232 - 2 days ago
CVE-2024-12105 - 2 days ago
CVE-2024-12106 - 2 days ago