Two zero-days in Ivanti products actively exploited by threat actor

/in


Researchers suspect an espionage-focused threat group linked to China is behind the exploitation of a pair of newly discovered zero-day bugs in Ivanti VPN appliances.

Meanwhile, Volexity disclosed in a Dec. 10 blog its researchers uncovered an exploit chain the threat actor used after detecting suspicious lateral movement on the network of one of its customers. Ivanti confirmed the authentication bypass and command injection vulnerabilities on its website.

The vulnerabilities are an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug affecting fully-patched Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure appliances.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system, Ivanti said in a Jan. 10 advisory.

CVE-2023-46805 has an 8.2 CVSS rating and is described as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure that “allows a remote attacker to access restricted resources by bypassing control check.”

The second bug, CVE-2024-21887, has a 9.1 CVSS rating and is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that “allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. 

In the wild exploitation

In-the-wild exploitation of the bugs was observed by researchers at Volexity who said in a post that while they could not identify the group responsible, they believed it was a Chinese nation-state-level threat actor.

Ivanti said it had created a mitigation to be applied to the gateways as an initial response while patches for the bug were developed. Patches would be released in a staggered schedule beginning the week of January 22.

“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” the vendor said.

“We are aware of less than 10…

Source…