Hackers have begun mass exploiting a third vulnerability affecting Ivanti’s widely used enterprise VPN appliance, new public data shows.
Last week, Ivanti said it had discovered two new security flaws — identified as CVE-2024-21888 and CVE-2024-21893 — affecting Connect Secure, its remote access VPN solution used by thousands of companies and large organizations worldwide . According to its website, Ivanti has more than 40,000 customers, including universities, healthcare organizations and banks, whose technology allows their employees to connect outside the office.
The disclosure came shortly after Ivanti confirmed two earlier bugs in Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887, which security researchers said Chinese-backed hackers had been exploiting since December to break into customer networks and steal information.
Now data shows that one of the newly discovered flaws – CVE-2024-21893, a server-side request forgery flaw – is being widely exploited.
Although Ivanti has since patched the vulnerabilities, security researchers expect a greater impact on organizations as more hacking groups exploit the flaw. Steven Adair, founder of cybersecurity firm Volexity, a security firm that tracks the exploitation of Ivanti’s vulnerabilities, warned that now that the proof-of-concept exploit code is public, “any unpatched devices that are accessible over the Internet have probably been compromised a lot times over.”
Piotr Kijewski, CEO of the Shadowserver Foundation, a nonprofit organization that scans and monitors the Internet for exploits, told TechCrunch on Thursday that the organization has observed more than 630 unique IPs attempting to exploit the server flaw, which allows for attackers to gain access to data on vulnerable devices.
This is a sharp increase compared to last week when Shadowserver said had observed 170 unique IPs trying to exploit the vulnerability.
One server-side analysis of the new flaw shows that the bug can be exploited to bypass Ivanti’s initial mitigation for the initial exploit chain that includes the first two vulnerabilities, effectively rendering those mitigations pre-patch.
Kijewski added that Shadowserver is currently seeing about 20,800 Ivanti Connect Secure devices exposed online, up from 22,500 last week, though he noted that it’s not known how many of those Ivanti devices are vulnerable to the exploit.
It’s unclear who is behind the massive exploit, but security researchers attributed the exploitation of the first two Connect Secure bugs to a Chinese government-backed hacking group likely motivated by espionage.
Ivanti previously said it was aware of a “targeted” server-side exploit of the bug targeting a “limited number of customers.” Despite repeated requests from TechCrunch this week, Ivanti did not comment on reports that the flaw is being widely exploited, but did not dispute Shadowserver’s findings.
Ivanti started to patch up to customers for all vulnerabilities alongside a second set of mitigation measures earlier this month. However, Ivanti notes in its security advisory — last updated on February 2 — that it “releases patches for the largest number of installations first, then continues in descending order.”
It is not known when Ivanti will make the patches available to all of its potentially vulnerable customers.
Reports of mass exploitation of another Ivanti flaw come days after the US cybersecurity agency CISA ordered federal agencies to urgently disconnect all Ivanti VPN devices. According to the agency’s warning, CISA gave organizations just two days to disconnect the devices, citing the “serious threat” from the vulnerabilities being actively attacked.
