An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers.
Ivanti first warned about the flaw in the gateway’s SAML components on January 31, 2024, giving it a zero-day status for limited active exploitation, impacting a small number of customers.
Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and access restricted resources on vulnerable devices (versions 9.x and 22.x).
Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw.
The exploitation volume of this particular vulnerability is far greater than that of other recently fixed or mitigated Ivanti flaws, indicating a clear shift in the attackers’ focus.
Although the proof-of-concept (PoC) exploit released by Rapid7 researchers on February 2, 2024, has undoubtedly played a role in assisting attacks, Shadowserver notes that they saw attackers using similar methods hours prior to the publication of the Rapid7 report.
This means that hackers had already figured out how to leverage CVE-2024-21893 for unrestricted, unauthenticated access to vulnerable Ivanti endpoints.
According to ShadowServer, there are currently almost 22,500 Ivanti Connect Secure devices exposed on the Internet. However, it is unknown how many are vulnerable to this particular vulnerability.
A security mess
The disclosure of CVE-2024-21893 came along with the release of security updates for two other zero-days impacting the same products, CVE-2023-46805 and CVE-2024-21887, which Ivanti first discovered on January 10, 2024, sharing temporary mitigations.
These two flaws were found to be exploited by Chinese espionage threat group UTA0178/UNC5221 to install webshells and backdoors on breached devices. Infections from this campaign peaked at around 1,700 in mid-January.
Despite initial mitigations, attackers bypassed defenses, compromising even the device’s configuration files, leading Ivanti to postpone its firmware patches, scheduled for January 22, to address the sophisticated threat.
Due to the situation with active exploitation of multiple critical zero-day vulnerabilities, lack of effective mitigations, and lack of security updates for some of the impacted product versions, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances.
Only devices that have been factory reset and upgraded to the latest firmware version should be reconnected to the network. However, older versions that remain impacted are still without a patch.
This instruction extends to private organizations, although it is not mandatory. Therefore, companies should seriously consider the security status of their Ivanti deployments and the trust of their environment in general.