Connect with us

Hi, what are you looking for?



Ivanti EPMM Vulnerability Targeted in Attacks as Exploitation of VPN Flaws Increases

The number of Ivanti VPN appliances compromised through exploitation of recent flaws increases and another vulnerability is added to exploited list.

Ivanti zero-day

The number of Ivanti Connect Secure VPN appliances compromised through the exploitation of two recently disclosed vulnerabilities is increasing, and the US security agency CISA warns that another Ivanti product flaw is being exploited.

Threat intelligence and incident response firm Volexity reported on January 10 that a cyberespionage group linked to China (UTA0178) had been spotted exploiting two Ivanti VPN zero-day vulnerabilities to gain access to internal networks.

The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection flaw (CVE-2024-21887). The vulnerabilities can be chained by a remote, unauthenticated attacker to execute arbitrary commands on the targeted Ivanti VPN appliance. 

Ivanti has released mitigations, but patches are only expected to become available starting next week.

While the first attacks appeared highly targeted, widespread exploitation started soon after their existence came to light. Volexity’s initial scans saw 1,700 compromised devices, but the company reported on Thursday that the number had increased to more than 2,100. 

The hacked appliances belong to government, military, defense, telecoms, tech, financial, consulting, engineering, aerospace and aviation organizations, including Fortune 500 companies, mostly located in the United States and Europe. 

Attacks are being launched by an increasing number of threat groups, including profit-driven cybercriminals, who are using the vulnerabilities to deploy malware and cryptocurrency miners.

Evidence uncovered during the initial analysis of the Chinese threat group’s campaign suggested that the hackers had taken steps to maintain access to high-value systems even after the release of patches by Ivanti.  

Advertisement. Scroll to continue reading.

In addition, Volexity has now seen attempts by the threat actor to bypass the Integrity Checker Tool shipped by Ivanti with its products. The tool helps ensure that no changes have been made to the system, but the attackers are making modifications that cause it to always report that no issues have been detected. 

Also on Thursday, CISA added CVE-2023-35082, an authentication bypass bug affecting Ivanti’s Endpoint Manager Mobile (EPMM) product, to its known exploited vulnerabilities catalog.

CVE-2023-35082 came to light in August 2023, being described as a bypass of the fix for CVE-2023-35078, an EPMM vulnerability that was exploited as a zero-day in April 2023 in attacks aimed at the Norwegian government. 

There do not appear to be any reports describing attacks that involve exploitation of CVE-2023-35082.

Related: Second Ivanti EPMM Zero-Day Vulnerability Exploited in Targeted Attacks

Related: Exploitation of Ivanti Sentry Zero-Day Confirmed 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.