US software giant Ivanti has confirmed that hackers are exploiting two critical-rated vulnerabilities affecting its widely used enterprise VPN appliance, but said patches will not be available until the end of the month.
Ivandi said the two vulnerabilities — tracked as CVE-2023-46805 and CVE-2024-21887 — found in the Ivanti Connect Secure software. Formerly known as Pulse Connect Secure, this is a VPN remote access solution that allows remote and mobile users to access corporate resources over the Internet.
Ivanti said it knows of “fewer than 10 customers” so far affected by the “zero day” vulnerabilities, described as such since Ivanti had zero time to fix the flaws before they were exploited by malicious people.
One of them was also a client of cybersecurity firm Volexity, which said detected suspicious activity on the customer’s network in the second week of December. Volexity found that hackers had combined the two Connect Secure vulnerabilities to achieve unauthenticated remote code execution, allowing hackers to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS device VPN”.
Volexity said it has evidence suggesting the customer’s VPN device may have been compromised as early as December 3, and has linked the attack to a Chinese-backed hacking group that goes by the name UTA0178.
While Ivanti — no stranger to zero days — says only a handful of its enterprise customers are affected, a security researcher Kevin Beaumont noted at Mastodon that “there will likely be many more casualties.” Beaumont, who has named the two vulnerabilities “ConnectAround,” published results from a scan showing about 15,000 affected Ivanti devices exposed to the internet worldwide.
In a suspension shared with TechCrunch on Thursday, Rapid7 researcher Caitlin Condon noted that the cybersecurity firm had observed scanning activity “targeting our honeypots impersonating Ivanti Connect Secure devices.”
Ivanti says patches for the two vulnerabilities will be rolled out on a staggered basis starting the week of January 22 and continuing through mid-February. When TechCrunch asked why the patches weren’t immediately available, Ivanti declined to comment. Ivanti also declined to say whether it is aware of any data breaches as a result of these attacks in nature, or whether it has attributed these attacks to any specific threat actor.
Ivanti urges potentially affected organizations to prioritize following its mitigation guidelines and and The US cybersecurity agency CISA also issued an advisory prompting Ivanti Connect Secure to immediately mitigate the two vulnerabilities.
However, as noted by Volexity, implementing these mitigation measures will not resolve past compromises.
