Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

CISA is now warning government agencies to patch Ivanti flaws immediately

Zero-day attack.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning government agencies to patch recently discovered Ivanti flaws immediately, as they’re being used in the wild to compromise vulnerable endpoints. 

CISA’s alert warns Federal Civilian Executive Branch (FCEB) agencies of two flaws: CVE-2023-46805 (authentication bypass), and CVE-2024-21887 (code injection). 

The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), and allow threat actors to run arbitrary commands on the endpoints. 

Thousands of victims

Since January 11 this year, a “sharp increase” in attacks was observed, CISA warned. Government agencies don’t seem to be exclusive targets, though, as researchers observed organizations being targeted indiscriminately. Both small businesses and some of the world’s largest organizations, operating in different industries including aerospace, banking, defense, and government, all fell prey so far.

"Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems," the agency said.

Ivanti is yet to release a patch for the flaws, it was said. In the meantime, it released mitigation measures which include importing an XML file into affected products, thus making necessary reconfigurations. 

Furthermore, CISA said businesses should first run an External Integrity Checker Tool to see if their endpoints were compromised. If any signs of foul play are found, the devices need to be disconnected, reset, and then have the XML file introduced. Also, FCEB agencies need to revoke and reissue certificates, reset admin credentials, store API keys, and reset local user passwords. 

The zero-days were first spotted being abused in December last year, by a Chinese state-sponsored threat actor tracked as UTA0178. Since then, the group successfully breached more than 2,000 devices all over the world, and used the advantage to install passive backdoors and deploy web shells.

Via TheHackerNews

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.