Source: Alexander Tolstykh via Shutterstock
Ivanti researchers this week flagged two zero-day vulnerabilities discovered in its products — CVE-2023-46805 and CVE-2024-21887— that are already being actively exploited by threat actors.
The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways, and the vulnerabilities affect all supported versions (Version 9.x and 22.x). Volexity assisted in identifying and reporting the issues in Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways.
CVE-2023-46805 is an authentication bypass vulnerability that allows threat actors to access restricted materials remotely and has a CVSS rating of 8.2. CVE-2024-21887, with a CVSS rating of 9.1, is a command injection vulnerability that allows authenticated admins to send unique requests as well as execute arbitrary commands.
Ivanti researchers reported that mitigation is available and patches will be released in waves in a staggered approach — a patch for the authentication bypass vulnerability will be available Jan. 22; a patch for the command injection vulnerability is slated for Feb. 19. Mitigation is available from the vendor while the patches are being developed, but Ivanti researchers stress it's essential that customers take immediate action.
For assistance or help with questions, Ivanti is directing customers to its Success Portal to request a call or log a case. Instructions on how to apply the mitigation are available on the website.