Ivanti customers are facing a challenging period as the company works to address a new vulnerability in its Connect Secure and Policy Secure products. Following the announcement of patches by Ivanti, security firms are reporting exploitation attempts in the wild, indicating that threat actors are actively targeting this vulnerability.
The vulnerability, known as CVE-2024-22024, is classified as an XML external entity injection (XXE) in the SAML component of specific versions of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways. This flaw allows attackers to access restricted resources without authentication and has been rated with a severity score of 8.3 out of 10 (high) on the CVSS scale.
Researchers from security firm watchTowr are credited with discovering and reporting the vulnerability, which they found while analyzing the patch for CVE-2024-21893, a server-side request forgery (SSRF) flaw disclosed by Ivanti on January 31. This SSRF vulnerability was itself discovered by Ivanti while investigating two other zero-day vulnerabilities that were being exploited by a Chinese advanced persistent threat (APT) group.
In response to these attacks, Ivanti has released updates and patches for the vulnerabilities. The updates for the four known vulnerabilities—CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893—were released on January 31 and February 1. Subsequently, updates for the new CVE-2024-22024 (XXE injection) flaw were released on February 8. Ivanti has stated that these updates supersede the previously released ones and that customers who reset their devices to factory settings when applying the previous patches do not need to do so again after applying the latest updates.
The company emphasized that the factory reset was necessary to remove any potential implants and modifications made by attackers using the previous exploits, highlighting the seriousness of the security risks posed by these vulnerabilities.
The swift publication of proof-of-concept exploit code for the CVE-2024-22024 vulnerability and the reports of exploitation attempts in the wild underscore the urgency for Ivanti customers to apply the latest patches and updates to protect their systems and data. It is crucial for organizations using Ivanti’s products to implement the recommended mitigations and security measures to prevent unauthorized access and potential compromises of their networks.
As the cybersecurity landscape continues to evolve, it is essential for vendors to remain vigilant and responsive to emerging threats, and for organizations to stay proactive in applying security updates and best practices to safeguard their digital environments. The collaboration between security researchers, vendors, and customers is vital in addressing vulnerabilities and mitigating the impact of potential security breaches.