Connect with us

Hi, what are you looking for?


Malware & Threats

After Delays, Ivanti Patches Zero-Days and Confirms New Exploit

Ivanti documents a brand-new zero-day and belatedly ships patches; Mandiant is reporting “broad exploitation activity.”

Ivanti zero-day

Enterprise IT software vendor Ivanti is calling urgent attention to two new high-severity vulnerabilities in its Connect Secure and Policy Secure VPN products, warning that one of the bugs was discovered during investigation of ongoing zero-day attacks.

The new alert comes on the same day Ivanti belatedly shipped patches for critical bugs being exploited by multiple hacking gangs and adds to the urgency for Ivanti customers to test and deploy available fixes.

After struggling to meet  its own patch delivery timeline, Ivanti on Wednesday started rolling out fixes on a staggered schedule and added documentation for two new security defects.

“As part of our ongoing investigation into CVE-2023-46805 and CVE-2024-21887 we have identified additional vulnerabilities in Ivanti Connect Secure Ivanti Policy Secure, and Ivanti Neurons for ZTA,” the company warned.

Ivanti said one of the flaws allows for privilege escalation while the second is a server-side request forgery in the SAML component that allows a threat actor to access certain restricted resources without authentication.

“We are aware of a limited number of customers impacted by CVE-2024-21887,” Ivanti said.

In all, Ivanti is documenting four separate issues:

CVE-2023-46805 — An authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. CVSS severity score 8.2/10. Confirmed exploited as zero-day.

Advertisement. Scroll to continue reading.

CVE-2024-21887 — A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. CVSS 9.1/10. Exploitation confirmed.

CVE-2024-21888 — A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator. CVSS 8.8/10.

CVE-2024-21893 — A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. CVSS severity score 8.2/10. Targeted exploitation confirmed.

Digital forensics firm Volexity first spotted exploitation of these issues three weeks ago and warned that a Chinese government-backed APT hacking team had built an exploit chain to break into US organizations.  

Ivanti said it was aware of “less than 20 customers” impacted by the vulnerabilities prior to public disclosure but declined to share additional victim details.

Malware hunters at Mandiant are reporting “broad exploitation activity” via automated methods and noted that hackers linked to China have been hitting these bugs as far back as December 3, 2023. SecurityWeek sources say cybercriminal groups have pounced on the public exposures to deploy cryptomers and backdoors.

The late availability of patches is also complicating deadlines set by the US government’s cybersecurity agency CISA for Federal Civilian Executive Branch (FCEB) agencies to apply available fixes, hunt for infections and share indicators of compromise.

The CISA emergency directive originally set a January 22 date for federal agencies to start deploying fixes and remove compromised products from networks.  The agency also instructed infected organizations to file a report with CISA with an inventory of infected devices and details on actions taken. 

Ivanti, a company that has struggled with major security problems, features prominently in the CISA KEV (Known Exploited Vulnerabilities) catalog.

Related: Ivanti Struggles to Hit Zero-Day Patch Release Timeline

Related: CISA Issues Emergency Directive on Ivanti VPN Zero-Days

Related: Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days

Related: Exploitation of Ivanti Sentry Zero-Day Confirmed

Related: Critical Vulnerability Haunts Ivanti Endpoint Manager

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.