The Shadowserver Foundation reports that a zero-day vulnerability, CVE-2024-21893 (CVSS score 8.2), disclosed by Ivanti on 31 January 2024, is now being actively exploited in the wild. Rapid7 noted a surge in attacks exploiting CVE-2024-21893 since February 2, before they released a proof-of-concept exploit for the issue.
The non-profit claims to have seen over 170 discrete IP addresses involved in attempted attacks. The flaw is in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, allowing attackers to access restricted resources without authentication.
For your information, Hackread reported last month that VPN appliances had multiple zero-day vulnerabilities, allowing remote attackers to execute commands and even load a Rust-based malware called KrustyLoader. Two of the vulnerabilities tracked CVE-2023-46805 and CVE-2024-21887, impacted all supported versions of Ivanti Connect Secure and Ivanti Policy Secure gateways.
The latest reports suggest a total of four vulnerabilities impacting Ivanti products. This analysis is based on the report that Ivanti has released patches for four vulnerabilities. The fourth one is tracked as CVE-2024-21888. The company also released a second mitigation to help organizations build resilience against attacks chaining CVE-2024-21893 with CVE-2024-21887 to compromise Ivanti devices.
However, Rapid7 principal security researcher Stephen Fewer posted on X that CVE-2024-21893 is not a new vulnerability, but an already discovered n-day in the xmltooling library tracked as CVE-2023-36661 and patched out in June 2023.
Attacks exploiting Ivanti zero-days have been rising rapidly since their disclosure. In late January threat intelligence firm Volexity reported a surge in attacks exploiting two Ivanti zero-days, particularly by a group UTA0178, linked to China. At least 20 organizations using Ivanti Connect Secure VPN appliances were compromised, with Volexity confirming that the number of compromised systems to likely higher than what was discovered.
Reportedly, UTA0178 was exploiting CVE-2024-21893 to bypass Ivanti’s initial mitigation for two zero days. The hackers were using CVE-2023-46805 and CVE-2024-21887 in a chain to compromise Ivanti Connect Secure VPN and Policy Secure network access control.
RELATED ARTICLES
- APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
- CACTUS ransomware evades exploits VPN flaws to hack networks
- UAC-0099 Hackers Using Old WinRAR Flaw in Cyberattack on Ukraine
- Flashpoint Uncovers 100K+ Hidden Vulnerabilities, Including Zero-Days
- Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer