FOCUS MODE
EXTRACT IOC
Threat Research

Critical Vulnerabilities in Ivanti Exploited in-the-Wild: everything you need to know

admin

Ivanti has issued a high-severity advisory for multiple vulnerabilities affecting its Connect Secure and Policy Secure products, including an authentication bypass flaw (CVE-2024-22024) that is currently being exploited in the wild. Customers are urged to apply patches immediately to mitigate risks. #CyberSecurity #VulnerabilityManagement #Ivanti

Keypoints :

  • Ivanti released an advisory on February 8, 2024, for CVE-2024-22024, an authentication bypass vulnerability.
  • The vulnerability affects Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and ZTA gateways.
  • Customers are advised to urgently patch to fixed versions as the vulnerability is being exploited in-the-wild.
  • On January 10, 2024, Ivanti disclosed two additional vulnerabilities (CVE-2023-46805 and CVE-2024-21887) enabling unauthenticated remote code execution.
  • Two more vulnerabilities (CVE-2024-21888 and CVE-2024-21893) were disclosed on January 31, 2024, affecting both Connect Secure and Policy Secure.
  • CISA has mandated that US federal agencies disconnect affected products from their networks and undertake immediate threat hunting.
  • Wiz customers can utilize the Wiz Threat Center to identify vulnerable instances in their environment.

MITRE Techniques :

  • Authentication Bypass (CVE-2024-22024) – Exploited via the SAML component, allowing access to restricted resources without authentication.
  • Remote Code Execution (CVE-2023-46805) – Enables unauthenticated remote code execution through web components.
  • Command Injection (CVE-2024-21887) – Allows an authenticated administrator to execute arbitrary commands on the appliance.
  • Privilege Escalation (CVE-2024-21888) – Users can gain administrator-level privileges through a flaw in the web component.
  • Server-Side Request Forgery (CVE-2024-21893) – Enables access to restricted resources without authentication via the SAML component.

Indicator of Compromise :

  • [domain] ivanti.com
  • [file name] webshell
  • [file name] backdoor
  • [tool name] malware
  • Check the article for all found IoCs.

Full Research: https://www.wiz.io/blog/ivanti-vulnerabilities-cve-2023-46805-cve-2024-21887-cve-2024-21888-and-cve-2024-21893

Tags: TOOL, HUNTING, CVE, PRIVILEGE, PATCH, VULNERABILITY, BACKDOOR