Ivanti warned Wednesday that hackers are exploiting another previously unknown zero-day vulnerability affecting its widely used enterprise VPN device.
Since early December, Chinese state-sponsored hackers have been exploiting the Ivanti Connect Secure flaws — tracked as CVE-2023-46805 and CVE-2024-21887 — to break into customer networks and steal information.
Ivandi is now a warning that it discovered two additional flaws — tracking CVE-2024-21888 and CVE-2024-21893 — affecting the Connect Secure VPN product. The first is described as a privilege escalation vulnerability, while the second – known as a zero-day because Ivanti didn’t have time to fix the bug before hackers started exploiting it – is a server bug that allows an attacker to access certain restricted resources without checking identity.
In its updated disclosure, Ivanti said it observed “targeted” server-side exploitation of the bug. Germany’s Federal Information Security Agency, known as BSI, said translated consultation on Wednesday that he has knowledge of “multiple compromised systems”.
The BSI added that the newly discovered vulnerabilities, particularly the server-side bug, “put all previously mitigated systems at risk again”. Ivandi confirmed that he expects a “exploitation spike” once the details of the vulnerability are made public.
Ivanti has not attributed these intrusions to a specific threat group. Cybersecurity firms Volexity and Mandiant previously attributed the exploitation of Connect Secure’s initial round of bugs to a Chinese government-backed hacking group motivated by espionage. Volexity also said it had noticed additional hacking groups actively exploiting the bugs.
Ivanti updated the number of affected customers to “fewer than 20”. When reached by TechCrunch on Wednesday, Kareena Garg, a spokeswoman for the company representing Ivanti, would not say how many customers are affected by the new vulnerabilities.
However, Volexity said earlier this month that at least 1,700 Ivanti Connect Secure devices worldwide had taken advantage of the first round of flaws, which affected organizations in the aerospace, banking, defense, government and telecommunications industries, although the number was likely to be much higher.
This is especially true in light of a CISA consulting released on Tuesday, which warned that attackers had bypassed workarounds for current mitigations and detection methods.
Ivanti’s disclosure of the new zero-day comes on the same day that the company released a patch to protect against the previously disclosed – and then widely exploited – Connect Secure vulnerabilities, albeit a week later than it had originally designed by the company. Spokesman Ivanti Garg told TechCrunch that the patches also protect against the two new vulnerabilities disclosed on Wednesday.
It’s unclear if the patch is available to all Ivanti Connect Secure users, as the company previously said it planned to roll out the patch on an “incremental” basis starting January 22. Ivanti now advises that customers “factory reset their device before applying the patch to prevent the threat agent from gaining upgrade persistence in your environment.”
