February 8, 2024 at 02:53PM
Ivanti warns of authentication bypass vulnerability (CVE-2024-22024) in Connect Secure, Policy Secure, and ZTA gateways, allowing remote access to unpatched appliances. No evidence of customer exploitation, but immediate action is recommended. Over 20,000 ICS VPN gateways tracked online. Ivanti devices targeted in zero-day attacks. Security patches released. CISA orders disconnection of vulnerable Ivanti VPN appliances from U.S. federal agencies.
Based on the meeting notes, the key takeaways are:
1. Ivanti has warned of a critical authentication bypass vulnerability (CVE-2024-22024) impacting Connect Secure, Policy Secure, and ZTA gateways, urging immediate action to secure the appliances.
2. Shadowserver is currently tracking over 20,000 ICS VPN gateways exposed online, with a significant number in the United States and is monitoring compromised Ivanti Connect Secure VPN instances daily.
3. Ivanti VPN appliances have been targeted in attacks chaining multiple zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893), with security patches released on January 31 and mitigation instructions provided for devices awaiting patches.
4. CISA has ordered U.S. federal agencies to disconnect all vulnerable Ivanti VPN appliances on their networks within 48 hours in response to extensive targeting by multiple threat actors.
These takeaways underline the urgency for organizations to secure their Ivanti appliances in response to the active exploitation of vulnerabilities and the heightened threat landscape.