Information technology security software company Ivanti Inc. is warning customers about two vulnerabilities in all versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways that are being actively exploited by hackers.

The vulnerabilities were first identified by cybersecurity firm Volexity Inc. in the second week of December when the company detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon close inspection, Volexity found an attacker was placing web shells, which can allow hackers remote access, on multiple internal and external-facing web servers.

Subsequent investigation tracked the movement back to an internet-facing Ivanti Connect Secure VPN appliance. An inspection of the ICS VPN appliance found that its logs had been wiped and logging had been disabled. An analysis of historical network traffic from the device also revealed suspect outbound and inbound communication from its management IP address from as early as Dec. 3.

Knowing where the hackers gained access led to discovering two different zero-day exploits, which were being chained together to achieve unauthenticated remote code execution. A zero-day vulnerability is a software security flaw that is previously unknown and in this case, the zero days were being used in tandem — chained — to gain access.

The two vulnerabilities being exploited are designated CVE-2023-46805, an authentication-bypass vulnerability with a Common Vulnerability Scoring System score of 8.2, and CVE-2024-21887, a command-injection vulnerability found in multiple web components with a CVSS score of 9.1. “When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” Volexity notes.

Ivanti is advising Connect Secure and Policy Secure Gateway users to apply a workaround to safeguard against potential threats. The workarounds include employing network segmentation and access controls to limit the exposure of the Connect Secure appliances to the internet and monitoring web server logs for any unusual activity that could indicate an attack or compromise.

The company is working on deploying patches to address the vulnerabilities. Patches will be released in a staggered schedule, with the first version targeted to be available to customers the week of Jan. 22 and a final version targeted to be available the week of Feb. 19.

“As is often the case, this pair of vulnerabilities requires exploitation of an authentication bypass followed by a ‘something else’ to do nefarious things,” Mehran Farimani, chief executive officer of vulnerability management company RapidFort Inc., told SiliconANGLE. “In this case, the second vulnerability is a command injection, allowing the attacker to execute arbitrary commands — read, ‘Run any software I can get my hands on’ — on behalf of the breached user.”

Farmani added that he has “high confidence” that the software components were not required by the application. “Keeping your applications clean of unused components is the best defense against these zero-day vulnerabilities, limiting the blast radius and severely crippling the ability of the attacker to move around,” he said.

Image: Ivanti