Security Advisory: Ivanti Connect Secure exploited in new zero day attack

Ivanti Connect Secure exploited in new zero day attack


Ivanti have recently disclosed that two high severity vulnerabilities affecting Secure Connect VPN and Policy Secure have come under active exploitation in the wild.

The vulnerabilities, labelled CVE-2023-46805 and CVE-2024-21887, can be used to enable unauthenticated remote code execution on all supported versions of the impacted products.

CVE-2023-46805 is an Authentication bypass exploit affecting the web component of Secure Connect, and may allow a remote attacker to access restricted resources by bypassing control checks.

CVE-2024-21887 is a command injection vulnerability that allows an authenticator user to execute arbitrary commands on a vulnerable device using specially crafted requests.

Ivanti warned that the two exploits can be used in conjunction with each other when targeting users of Secure Connect. If used together, “exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system.”

Recommended Remediations

CTRL strongly recommends user of Secure Connect VPN or Policy Secure follow the mitigations provided by Ivanti in their security advisory.

KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Currently, there is no patch against this exploit. Ivanti provided temporary xml mitigations for this vulnerability in their latest security advisory. They expect to roll out staggered patches for this exploit on January 22nd.

Sources: Ivanti Advisory | Australian Cyber Security Centre