February 5, 2024 at 11:00AM
Ivanti Connect Secure and Policy Secure are being exploited through an SSRF vulnerability, tracked as CVE-2024-21893, allowing attackers to bypass authentication and access restricted resources on vulnerable devices. The exploitation volume is significantly high, leading to U.S. CISA’s directive for federal agencies to disconnect and upgrade affected appliances to the latest firmware.
Meeting Takeaway:
1. There is an ongoing mass exploitation of the CVE-2024-21893 vulnerability in Ivanti Connect Secure and Ivanti Policy Secure servers, leading to unauthorized access to restricted resources on vulnerable devices.
2. The exploitation volume of this vulnerability is significantly higher than that of other recently fixed or mitigated Ivanti flaws, indicating a change in attackers’ focus.
3. The release of security updates for two other zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, has raised concerns about the security of Ivanti products, especially with evidence of exploitation by a Chinese espionage threat group.
4. Due to the active exploitation of multiple critical zero-day vulnerabilities and lack of effective mitigations, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances, with a recommendation for private organizations to consider the security status of their Ivanti deployments as well.
5. Organizations are advised to update affected devices to the latest firmware version and consider the overall security posture of their Ivanti environment.
Please let me know if there is anything else you would like to include or adjust in this summary.