Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Ivanti warns Connect Secure zero-days exploited by hackers

X.

Ivanti is warning of hackers abusing two newly discovered vulnerabilities to take over vulnerable gateways.

Cybersecurity researchers from Mandiant and Volexity recently discovered two zero-day flaws: CVE-2023-46805 (authentication bypass), and CVE-2024-21887 (command injection vulnerability). 

These two flaws allow malicious unauthenticated individuals to run arbitrary commands on vulnerable endpoints via specially crafted requests, especially when chained together.

Remote access tools under assault

"If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system," Ivanti said.

At the moment, a patch isn’t available, but is in the works. In the meantime, the company is providing a method of mitigation. “It is critical that you immediately take action to ensure you are fully protected,” the company reiterated. "We are providing mitigation now while the patch is in development to prioritize the best interest of our customers.

According to Ivanti, the patches will be available in the coming weeks, "the first version targeted to be available to customers the week of 22 January and the final version targeted to be available the week of 19 February." Until then, users are advised to import mitigation.release.20240107.1.xml file, which can be found on the company’s download portal.

The company also said that there is evidence of the two vulnerabilities being used in the wild to attack some customers. 

"We are aware of less than 10 customers impacted by the vulnerabilities. We are unable to discuss the specifics of our customers," it was said in the security advisory. "We have seen evidence of threat actors attempting to manipulate Ivanti's internal integrity checker (ICT). Out of an abundance of caution, we are recommending that all customers run the external ICT.”

Volexity experts believe the attackers are of Chinese origin and that they are state-sponsored.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.