The U.S. Cybersecurity and Infrastructure Security Agency has instructed federal agencies to disable their deployments of two Ivanti Inc. products that contain vulnerabilities.

In a directive issued on Wednesday, CISA stated that administrators must take the affected deployments offline by Saturday. Separately, Ivanti today released a patch for some versions of the vulnerable products. The patch joins an existing security update that is available for certain earlier editions of the same products.

Ivanti provides software for managing technology infrastructure that is used by more than 40,000 organizations worldwide. Its products help administrators create an inventory of the systems in their company’s network, detect technical issues and fix them. Ivanti also competes in certain adjacent segments, including the cybersecurity market.

The new CISA directive for federal agencies focuses on two of the company’s cybersecurity products: Connect Secure and Policy Secure. The former offering is a virtual private network, or VPN, tool that enables workers to log into business applications via encrypted connections. Policy Secure, in turn, is used by administrators to regulate which employee may access what system within the corporate network.

Last month, the software maker notified customers that the products are affected by two cybersecurity vulnerabilities. The first allows hackers to bypass the products’ authentication mechanism and log in. From there, they can use the second vulnerability to run malicious commands. 

Cybersecurity company Volexity LLC estimates that hackers have been using the flaws to target Ivanti customers since at least December. According to Volexity, at least 2,200 customer deployments have been compromised to date. It’s believed that more than 22,000 installations of the vulnerable products are currently connected to the web. 

On Wednesday, Ivanti alerted users that it had discovered two additional vulnerabilities in Connect Secure and Policy Secure. One is a privilege escalation flaw that allows hackers to gain administrative access. The other, which also affects a third cybersecurity tool called Ivanti Neurons for ZTA, makes it possible to bypass the products’ authentication mechanism.

CISA has instructed federal agencies to continue searching for potential breach indicators after they take their Connect Secure and Policy Secure deployments offline. According to the agency, administrators should look for signs of malicious activity on systems that are connected or were recently connected to the two products. Furthermore, CISA is advising federal agencies to monitor the authentication and identity management applications they use to process users’ login requests.

“CISA will continue efforts to identify instances and potential compromises associated with this threat activity, provide partner notifications, and will issue additional guidance and direction, as appropriate,” the directive elaborated. 

Officials have also released instructions for how to bring Connect Secure and Policy Secure deployments back online. According to CISA, agencies should perform a factory reset on their deployments and download Ivanti’s security patches before reconnecting them. Furthermore, administrators must change the associated login credentials. 

Image: Pixabay