Ivanti Rolls Out First Patch For VPN Flaws, Discloses New Zero Days

The company says the newly released patch will address the two previously announced Connect Secure vulnerabilities as well as two additional flaws.

Ivanti released the first patch for a pair of widely exploited VPN vulnerabilities Wednesday while also disclosing two additional zero-day flaws affecting its Connect Secure devices.

An Ivanti spokesperson told CRN that the patch addresses both sets of vulnerabilities.

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

The initial patch for multiple versions of Ivanti Connect Secure was originally planned for release last week but had been delayed.

“The patches released on January 31 cover the majority of our customers,” Ivanti said in a statement Wednesday.

The newly disclosed flaws are a privilege escalation vulnerability (tracked at CVE-2024-21888), which has yet to be exploited, and a server-side request forgery vulnerability (tracked at CVE-2024-21893), which has seen a “small number of customers” impacted so far, Ivanti said.

The release of the fixes by Ivanti comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the original Connect Secure vulnerabilities, first disclosed Jan. 10, continue to be exploited by attackers. Threat actors, in fact, have now figured out a way to bypass Ivanti’s previously released mitigations, CISA said.

“Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection,” the agency said Tuesday.

‘Mass Exploitation’

Earlier this month, researchers at Volexity reported that “mass exploitation” of the Ivanti Connect Secure vulnerabilities was underway, prompting CISA to release its first emergency directive of 2024.

Victims of the Ivanti VPN attacks are “globally distributed and vary greatly in size,” wrote the Volexity researchers, who first discovered the flaws in December, in a previous post.

More than 2,100 Ivanti Connect Secure VPN devices have been compromised in the attacks, according to the latest update from Volexity, published Jan. 18.

Remaining patches for supported Connect Secure versions will be released on a staggered schedule, Ivanti said Wednesday.

Ivanti noted that it has provided a new mitigation for the vulnerabilities while additional patch versions are under development.