Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation

News

Jan 31, 2024NewsroomVulnerability / Zero Day

Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild.

The list of vulnerabilities is as follows –

  • CVE-2024-21888 (CVSS score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator
  • CVE-2024-21893 (CVSS score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication

The Utah-based software company said it found no evidence of customers being impacted by CVE-2024-21888 so far, but acknowledged “the exploitation of CVE-2024-21893 appears to be targeted.”

Cybersecurity

It further noted that it “expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public.”

In tandem to the public disclosure of the two new vulnerabilities, Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1.3.

“Out of an abundance of caution, we are recommending as a best practice that customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment,” it said. “Customers should expect this process to take 3-4 hours.”

As temporary workarounds to address CVE-2024-21888 and CVE-2024-21893, users are recommended to import the “mitigation.release.20240126.5.xml” file.

The latest development comes as two other flaws in the same product – CVE-2023-46805 and CVE-2024-21887 – have come under broad exploitation by multiple threat actors to deploy backdoors, cryptocurrency miners, and a Rust-based loader called KrustyLoader.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

US Organizations Still Using Kaspersky Products Despite Ban
HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

Leave a Reply

Your email address will not be published. Required fields are marked *