Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] Critical Zero-day Vulnerabilities in Ivanti VPN

Executive Summary

Ivanti, a major U.S. software company, has confirmed two critical zero-day vulnerabilities in its VPN appliance, Ivanti Connect Secure. Also, the U.S. cybersecurity agency CISA has issued an alert and included these Ivanti zero-day vulnerabilities in its Known Exploited Vulnerabilities Catalog.

These actively exploited vulnerabilities pose significant risks to corporate VPN infrastructure.

Although there are currently no patches available, Ivanti shared workarounds and strongly advises organisations to apply them promptly and monitor for future patches.

Ivanti Zero-Day 1: CVE-2024-21887

CVE-2024-21887 is a command injection vulnerability in Ivanti Connect Secure. It has a CVSS score of 9.1.

This flaw affects all supported versions (9.x and 22.x) of Connect Secure and Policy Secure gateways.

Consequently, it allows for unauthenticated remote code execution, which can potentially compromise the VPN appliance.

Ivanti Zero-Day 2: CVE-2023-46805

CVE-2023-46805 is an authentication bypass vulnerability in Ivanti Connect Secure. It has a CVSS score of 8.2.

This vulnerability affects all supported versions (9.x and 22.x) of Connect Secure and Policy Secure gateways.

Consequently, it allows cyber threat actors to gain control of the affected systems.

Ivanti’s Response

Ivanti has responded to these zero-day vulnerabilities by planning to release patches on a staggered basis starting the week of January 22 through mid-February.

In the meantime, Ivanti shared a security update, which includes a workaround, and urged organisations to follow its detailed instructions. According to Ivanti, this response is given in light of reports stating that fewer than 10 customers have been impacted so far. Ivanti highlights the lack of time available to fix the flaws before they were exploited.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.