• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Security
  • CISA orders federal agencies to disconnect Ivanti VPN instances by February 2

CISA orders federal agencies to disconnect Ivanti VPN instances by February 2

Pierluigi Paganini February 01, 2024

CISA is ordering federal agencies to disconnect Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

For the first time since its establishment, CISA is ordering federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

The CISA’s emergency directive orders to disconnect all instances no later than 11:59PM on Friday February 2, 2024.

“As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.” reads the directive.

    The government agency recommends continuing to look for indicators of compromise on any systems connected to—or recently connected to—the affected Ivanti device.

    The government experts also ordered to monitor the authentication or identity management services that could be exposed and urged to isolate the systems from any enterprise resources to the greatest degree possible. CISA also warned to continue to audit privilege-level access accounts.

    “To bring a product back into service, agencies are required to perform the following actions:

    1. Export configuration settings.
    2. Complete a factory reset per Ivanti’s instructions.
    3. Rebuild the device per Ivanti’s instructions AND upgrade to one of the following supported software versions through Ivanti’s download portal (there is no cost to upgrade): 9.1R18.3, 22.4R2.2, 22.5R1.1, 9.1R14.4, 9.1R17.2.”

    IVANTI recently warned of four zero-days, three of which are actively exploited in the wild.

    In early January, the software firm reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.

    The flaw CVE-2023-46805 (CVSS score 8.2) is an Authentication Bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.

    The second flaw, tracked as CVE-2024-21887 (CVSS score 9.1) is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and execute arbitrary commands on the appliance.

    An attacker can chain the two flaws to send specially crafted requests to unpatched systems and execute arbitrary commands. 

    “If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.” reads the advisory published by Ivanti.

    This week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

    The vulnerability CVE-2024-21888 is a privilege escalation issue that resides in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). An attacker can exploit the vulnerability to gain admin privileges.

    The second flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

    The company also warns that the situation is still evolving and multiple threat actors can rapidly adapat their tactics, techniques, and procedures to exploit these issues in their campaigns.

    “At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.

    “Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”

    The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.

    Mandiant researchers recently discovered new malware employed by a China-linked APT group known as UNC5221 and other threat groups targeting Ivanti Connect Secure VPN and Policy Secure devices.

    The cybersecurity firm reported that threat actors are employing the malware in post-exploitation activity, likely performed through automated methods.

    Mandiant recently observed a mitigation bypass technique used to deploy a custom web shell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024.

    Mandiant speculates that mitigation bypass activity is highly targeted, restricted, and differs from the mass exploitation activity observed after the disclosure of the Ivanti flaws.

    Other malware employed in the attack is a new variant of the LIGHTWIRE web shell, the Python web shell backdoor CHAINLINE and FRAMESTING web shell.

    Follow me on Twitter: @securityaffairs and Facebook and Mastodon

    Pierluigi Paganini

    (SecurityAffairs – hacking, IVANTI)


    facebook linkedin twitter

    CISA Hacking hacking news information security news IT Information Security Ivanti VPN Pierluigi Paganini Security Affairs Security News

    you might also like

    Pierluigi Paganini July 09, 2025
    Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
    Read more
    Pierluigi Paganini July 09, 2025
    Hackers weaponize Shellter red teaming tool to spread infostealers
    Read more

    leave a comment

    newsletter

    Subscribe to my email list and stay
    up-to-date!

      recent articles

      Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

      Malware / July 09, 2025

      Hackers weaponize Shellter red teaming tool to spread infostealers

      Malware / July 09, 2025

      Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

      Security / July 08, 2025

      Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

      Intelligence / July 08, 2025

      U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

      Hacking / July 08, 2025

      To contact me write an email to:

      Pierluigi Paganini :
      pierluigi.paganini@securityaffairs.co

      LEARN MORE

      QUICK LINKS

      • Home
      • Cyber Crime
      • Cyber warfare
      • APT
      • Data Breach
      • Deep Web
      • Digital ID
      • Hacking
      • Hacktivism
      • Intelligence
      • Internet of Things
      • Laws and regulations
      • Malware
      • Mobile
      • Reports
      • Security
      • Social Networks
      • Terrorism
      • ICS-SCADA
      • POLICIES
      • Contact me

      Copyright@securityaffairs 2024

      We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
      Cookie SettingsAccept All
      Manage consent

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
      Non-necessary
      Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
      SAVE & ACCEPT