Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team.
The software biz disclosed the vulnerabilities in Ivanti Connect Secure (ICS) – the VPN server appliance previously known as Pulse Connect Secure – and its Policy Secure gateways on Wednesday. At the time the biz said someone or some group had already found and exploited the holes. A spokesperson for Ivanti told The Register the victim count was "less than 10." It has since increased.
This situation is especially worrisome because neither flaw has a patch — Ivanti hopes to start rolling those out the week of January 22 in a staggered fashion, and, in the meantime urges customers to "immediately" deploy mitigations. And as Mandiant Consulting CTO Charles Carmakal noted: "These CVEs chained together lead to unauthenticated remote code execution."
That means these flaws can be exploited to seize control of an organization's Ivanti network appliances and use them to drill into that org's IT environment. The two zero-days are: CVE-2023-46805, an authentication bypass bug; and CVE-2024-21887, a command injection vulnerability.
As of Friday, Ivanti says it's "aware of less than 20 customers impacted by the vulnerabilities."
The list will likely continue to grow, as more organizations ... discover their devices are compromised
However, as Carmakal told The Register, this number will likely increase.
"We are learning about new victims as they run Ivanti's integrity checking tool and are se ..
Support the originator by clicking the read the rest link below.
