Ivanti Reports Exploitation Of Two Zero-Day VPN Flaws

The high-severity vulnerabilities impact Ivanti’s Connect Secure VPN and do not yet have a patch available.

Ivanti disclosed Wednesday that a pair of high-severity, zero-day vulnerabilities impacting its widely used Connect Secure VPN have seen exploitation by attackers.

The vulnerabilities can be used to enable unauthenticated remote execution of code on affected Connect Secure VPN devices, according to researchers at Volexity, which uncovered the flaws in December.

In a post Wednesday, Ivanti shared mitigation measures for the vulnerabilities, but said the first patches won’t be available until the week of Jan. 22.

The vulnerabilities can be used together by threat actors to target customers of its Connect Secure VPN, Ivanti said. When used in this way, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system,” the company said.

So far, “we are aware of less than 10 customers impacted by the vulnerabilities,” Ivanti said in the post Wednesday.

Ivanti, a provider of IT and security software, acquired the technology behind its Connect Secure VPN with the acquisition of Pulse Secure in 2020.

The authentication bypass vulnerability (tracked at CVE-2023-46805) has been awarded a severity score of 8.2 out of 10.0, while the command injection vulnerability (CVE-2024-21887) has been awarded a severity score of 9.1 out of 10.0.

The vulnerabilities “impact all supported versions” of Connect Secure, Ivanti said. The flaws also impact Ivanti’s Policy Secure gateway, the company said.

Patches will be released on a staggered schedule starting the week of Jan. 22 and running through mid-February, the company said.

CRN has reached out to Ivanti for any further comment.

Researchers at Volexity attributed the attacks against Connect Secure customers to a nation-state threat actor it tracks as UTA0178, which is believed to be working on behalf of China’s government.