Ivanti Discloses Fifth Major VPN Vulnerability In A Month

The disclosure of the new high-severity Connect Secure bug comes as three recently discovered Ivanti VPN vulnerabilities are now under mass exploitation.

Ivanti published details Thursday on a new, high-severity flaw that impacts its Connect Secure VPN devices — the fifth such vulnerability disclosed over the past month.

The disclosure comes as three of the recently discovered vulnerabilities affecting Ivanti’s VPN devices are now under mass exploitation, according to researchers.

The newest vulnerability, tracked at CVE-2024-22024, impacts “a limited number of supported versions” of Connect Secure, Policy Secure and ZTA (zero trust access) gateways, Ivanti said in its advisory Thursday. The bug can be utilized by a malicious actor to bypass authentication and “access certain restricted resources,” the company said.

The flaw has a “high” severity rating, with a score of 8.3 out of 10.0, and was discovered during the vendor’s internal review and code-testing process, according to Ivanti.

Thus far, “we have no evidence of this vulnerability being exploited in the wild,” Ivanti said in the advisory.

Three Vulnerabilities Exploited

The disclosure comes after threat tracker Shadowserver said this week that it has seen widespread exploitation of a server-side request forgery vulnerability, tracked at CVE-2024-21893, which was recently found to impact Connect Secure devices.

Shadowserver researchers said Sunday that they had observed 170 unique IP addresses attempting to exploit the vulnerability in attacks, and told TechCrunch Thursday that the attacks are now coming from 630 different IPs.

That vulnerability — first disclosed Jan. 31 — became the third Connect Secure flaw to see mass exploitation by attackers. The two initially disclosed Connect Secure vulnerabilities, which were revealed Jan. 10, began seeing mass exploitation as of Jan. 16, according to researchers at cybersecurity firm Volexity.

The original vulnerabilities are an authentication bypass vulnerability (tracked at CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887). The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti has said.

When used in this way, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” the company said.

The vulnerabilities “impact all supported versions” of Connect Secure, according to Ivanti. The flaws also impact Ivanti’s Policy Secure gateway.

The two original Ivanti VPN vulnerabilities have seen “broad exploitation activity” by a China-linked threat group tracked as UNC5221, as well as “other uncategorized threat groups,” researchers at Mandiant reported previously.

The attacks by UNC5221 — a “suspected China-nexus espionage threat actor” — go back as far as Dec. 3, the researchers at Google Cloud-owned Mandiant said.

Patches And Mitigations

Ivanti released the first patch for the original VPN vulnerabilities on Jan. 31, and has also shared mitigations for all five of the Connect Secure flaws disclosed since Jan. 10.

For the newly revealed authentication bypass flaw, a mitigation released by Ivanti on Jan. 31 “is effective at blocking this vulnerable endpoint and is available now via the standard download portal,” the company said in its advisory Thursday.

The mass exploitation of Connect Secure vulnerabilities prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue its first “emergency directive” of 2024 on Jan. 19. Subsequently, on Feb. 1, CISA ordered that federal civilian agencies take the extreme measure of disconnecting their Ivanti Connect Secure VPNs within 48 hours.

Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.