Skip to content
Longterm Wiki

Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways (AA24-060B)

web
CISA·cisa.gov/news-events/cybersecurity-advisories/aa24-060b

Credibility Rating

4/5
High(4)

High quality. Established institution or organization with editorial oversight and accountability.

Rating inherited from publication venue: CISA

This CISA advisory details active exploitation of Ivanti VPN vulnerabilities by sophisticated threat actors, relevant to AI safety infrastructure security as AI systems increasingly depend on secure network infrastructure and VPN gateways that could be compromised.

Metadata

Importance: 22/100guidance documentprimary source

Summary

CISA and international partners warn that threat actors are actively exploiting multiple CVEs in Ivanti Connect Secure and Policy Secure gateways, enabling authentication bypass and arbitrary command execution. Critically, the internal Integrity Checker Tool fails to detect compromise, and attackers can achieve root-level persistence even after factory resets. Organizations are advised to assume credentials are compromised and treat affected devices as potentially fully controlled by adversaries.

Key Points

  • Three CVEs (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893) are being chained to bypass authentication and execute arbitrary commands with elevated privileges.
  • Ivanti's internal and external Integrity Checker Tool (ICT) fails to detect compromise, giving defenders a false sense of security.
  • Threat actors can maintain root-level persistence even after factory resets of affected appliances.
  • All supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure are affected.
  • Recommended mitigations: assume credentials compromised, limit outbound connections, apply patches, and treat devices as potentially fully controlled by adversaries.

1 FactBase fact citing this source

EntityPropertyValueAs Of
Change Healthcare (2024)Incident DateFeb 2024Feb 2024

Cached Content Preview

HTTP 200Fetched Apr 27, 202640 KB
Cybersecurity Advisory 
 
 Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways 

 

 
 Release Date February 29, 2024 

 

 
 Alert Code AA24-060B 

 
 
 
 Related topics: 
 
 Cyber Threats and Response , Incident Response , Securing Networks 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 Actions to take today to mitigate cyber threats against Ivanti appliances:

 
 
 
 
 Limit outbound internet connections from SSL VPN appliances to restrict access to required services.

 Keep all operating systems and firmware up to date.

 Limit SSL VPN connections to unprivileged accounts.
 

 
 
 
 
 

 
 
 
 
 
 SUMMARY 

 The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities. Authoring organizations:

 
 Federal Bureau of Investigation (FBI)

 Multi-State Information Sharing & Analysis Center (MS-ISAC)

 Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)

 United Kingdom National Cyber Security Centre (NCSC-UK)

 Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment

 New Zealand National Cyber Security Centre (NCSC-NZ)

 CERT-New Zealand (CERT NZ)

 
 Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.

 Cyber threat actors are actively exploiting multiple previously identified vulnerabilities— CVE-2023-46805 , CVE-2024-21887 , and CVE-2024-21893 —affecting Ivanti Connect Secure and Ivanti Policy Secure gateways. The vulnerabilities impact all supported versions (9.x and 22.x) and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.

 During multiple incident response engagements associated with this activity, CISA identified that Ivanti’s internal and previous external ICT failed to detect compromise. In addition, CISA has conducted independent research in a lab environment validating that the Ivanti ICT is not sufficient to detect compromise and that a cyber threat actor may be able to gain root-level persistence despite issuing factory resets.

 The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on t

... (truncated, 40 KB total)
Resource ID: 21120ca30b2425e1 | Stable ID: sid_rUXhmFKFFA