Thomas LaFayette’s Post

Recent SSRF Flaw in Ivanti VPN Products Undergoes Mass Exploitation Feb 06, 2024NewsroomCybersecurity / Vulnerability A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication. Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a "limited number of customers," but cautioned the status quo could change post public disclosure. https://lnkd.in/dcn3sS7M

Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days: Ivanti confirms active zero-day exploits, ships pre-patch mitigations, but says comprehensive fixes won't be available until January 22. The post Volexity Catches Chinese Hackers Exploiting Ivanti VPN Zero-Days appeared first on SecurityWeek.

Using Ivanti Connect Secure? By combining two vulnerabilities (authentication bypass and RCE), unauthenticated attackers can compromise your VPN gateway. Active exploitation is reported, please update ASAP ASAP! https://lnkd.in/dyuViAxy

The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances. https://lnkd.in/g_MN3zje

Ivanti has released patches to address two vulnerabilities disclosed in January: CVE-2023-46805 (an authentication bypass issue) and CVE-2024-21887 (a command injection issue). Those flaws affect Connect Secure and Policy Secure; the patches fix the vulnerabilities in some but not all affected versions of the products. Ivanti has also disclosed two new zero-day vulnerabilities, one of which is being actively exploited. #ivanti #zerodayvulnerability #patchmanagement https://lnkd.in/ehQwJPvN

The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances.

MITRE hacked through the exploitation of Ivanti Connect Secure VPN device zero-day vulnerabilities. Xiid could not only prevented this BUT can make sure it NEVER happens again! Set up an apt today 📆 https://lnkd.in/gnqRsu8b

Ivanti Zero-Day Exploits Skyrocket Worldwide; No Patches Yet... Anyone who hasn't mitigated two zero-day security bugs in Ivanti VPNs may already be compromised by a Chinese nation-state actor. Thousands of Ivanti VPN instances have been compromised across the globe in the last five days thanks to two serious, as yet unpatched zero-day vulnerabilities disclosed last week.

A true zero trust platform, like Zscaler Private Access, removes the threat of zero day vulnerabilities that have plagued Ivanti, as well as all other legacy VPN solutions, by removing all remote access entry points. True #zerotrust means no exposed devices or IP addresses to attack, because authorization happens before an inside out connection is ever made. To learn more, we encourage you to read this blog published by the Zscaler ThreatLabz Team.

This is just so fascinating case, no less so that now Mandiant connects (with moderate confidence) UNC5325 that is behind Ivanti exploitation with UNC3886, which is a group that went after VMware vCenter and ESXi.