CISA Urges Patching For ‘Critical’ Ivanti Vulnerability

The cybersecurity agency encouraged organizations to address the remote code execution (RCE) vulnerability in Ivanti Standalone Sentry.

CISA Thursday encouraged patching to address a critical-severity remote code execution (RCE) vulnerability in Ivanti Standalone Sentry.

The advisory — which also addressed a separate vulnerability in Ivanti Neurons for ITSM — came several weeks after CISA (the U.S. Cybersecurity and Infrastructure Security Agency) confirmed that two of its systems were compromised in February by hackers that exploited Ivanti VPN vulnerabilities.

In the advisory Thursday, CISA said that in connection with the two Ivanti flaws, “a cyber threat actor could exploit these vulnerabilities to take control of an affected system.”

“CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary updates,” the agency said, referring to Ivanti advisories on the Standalone Sentry vulnerability (tracked at CVE-2023-41724) and the Ivanti Neurons for ITSM flaw (tracked at CVE-2023-46808).

Standalone Sentry was formerly known as MobileIron Sentry. Ivanti acquired MobileIron in 2020.

Using the RCE vulnerability impacting Standalone Sentry, “an unauthenticated threat actor can execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network,” Ivanti said in its advisory initially released Monday and updated Thursday.

“We are not aware of any customers being exploited by this vulnerability at the time of disclosure,” the company said in the advisory.

The vulnerability — which has been awarded a “critical” severity score of 9.6 out of 10.0 — affects all supported versions of Standalone Sentry, Ivanti said. The flaw was discovered by researchers at the NATO Cyber Security Centre, BleepingComputer reported.

The disclosure also follows mass exploitation of three Ivanti Connect Secure VPN vulnerabilities since mid-January. The attacks prompted CISA to issue its first “emergency directive” of 2024 on Jan. 19. Then on Feb. 1, CISA ordered that federal civilian agencies take the extreme measure of temporarily disconnecting their Ivanti Connect Secure VPNs within 48 hours.

On Feb. 29, CISA warned organizations to “consider the significant risk” that may be posed by continuing to use widely exploited Ivanti VPNs.