It seems Ivanti can’t catch a break, because shortly after discovering and fixing two major flaws that were being exploited in the wild, a third emerged.
Like the previous two, this new threat also affects Ivanti’s Connect Secure and Policy Secure VPN products.
It is tracked as CVE-2024-21893 and is described as a server-side request forgery. Ivanti published the finding of the flaw in late January this year, along with another vulnerability that has not yet attracted the attention of the hacking community.
A rocky start to the year
The company released a patch at the time and said it was not aware of any mass abuse. “We are currently aware of only a small number of customers affected by CVE-2024-21893,” the company said in the advisory.
However, with reference to information from Shadowserver, ArsTechnica reported that the exploit has “grown” to exceed those of CVE-2023-46805 and CVE-2024-21887, the two flaws that hackers previously targeted.
It’s been a rough start to 2024 for Ivanti after it recently discovered two serious flaws that were being exploited in the wild.
It initially released fixes for the flaws, and later released a patch, but shortly after publishing the findings, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) warned users about hackers actively abusing the error and even advised government agencies to disconnect from their systems. Ivanti VPNs until they can completely rebuild them with the patch installed.
The first two flaws were exploited by Chinese state-sponsored threat actors, the researchers said at the time. For the latest vulnerability, there’s still no word on who the perpetrators are, but it’s safe to assume they’re the same people. Additionally, endpoints protected against the first two flaws are vulnerable to the third unless they apply the separately published patch.
While Rapid7 researchers published a Proof-of-Concept (PoC) late last week, it appears that this did not play a significant role as researchers saw active exploitation hours earlier.