Critical Ivanti Connect Secure Zero-Day Under Active Exploitation
Critical zero-day vulnerabilities in Ivanti Connect Secure VPN appliances are being actively exploited. Organizations must act immediately to assess exposure and implement mitigations.
**January 2024** β The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two critical zero-dayZero-Dayπ‘οΈA security vulnerability that is exploited or publicly disclosed before the software vendor can release a patchPatchπ‘οΈA software update that fixes security vulnerabilities, bugs, or adds improvements to an existing program., giving developers 'zero days' to fix it. vulnerabilities affecting Ivanti Connect Secure VPN appliances that are being actively exploitedActively Exploitedπ‘οΈA vulnerabilityVulnerabilityπ‘οΈA weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. that attackers are currently using in real-world attacks, requiring immediate patching regardless of severity score. in the wild. Security researchers have detected widespread exploitation attempts targeting enterprise networks worldwide, with threat actors leveraging these vulnerabilities to establish persistent access to corporate environments. Organizations using Ivanti Connect Secure products face immediate risk and must take swift action to protect their infrastructure.
The vulnerabilities, tracked as CVE-2024-21887 and CVE-2024-21893, affect multiple versions of Ivanti Connect Secure (formerly Pulse Secure) and present a critical threat to organizations relying on these VPN solutions for secure remote access. Initial exploitation attempts were detected by multiple threat intelligence firms, with evidence suggesting sophisticated threat actors have been leveraging these flaws since early January 2024.
What Happened
Ivanti disclosed two critical security vulnerabilities affecting its Connect Secure VPN product on January 10, 2024, following reports from cybersecurity firm Volexity that observed active exploitation in customer environments. The disclosure came after Volexity detected suspicious activity on multiple customer networks, all of which traced back to compromised Ivanti Connect Secure appliances.
CVE-2024-21887 is a command injectionCommand Injectionπ‘οΈA security vulnerability that allows attackers to execute arbitrary operating system commands on the host system through a vulnerable application. vulnerability with a CVSS score of 9.1 (Critical). This flaw allows an authenticated administrator to send specially crafted requests to the appliance, resulting in arbitrary command execution with elevated privileges. The vulnerability exists in the web component of Ivanti Connect Secure and can be exploited by threat actors who have already gained administrative credentials through various means, including credential theft or by chaining this vulnerability with CVE-2024-21893.
CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability rated at 8.2 (High) on the CVSS scale. This vulnerability enables unauthenticated attackers to access restricted resources on the Ivanti Connect Secure appliance without requiring authentication. By crafting specific HTTP requests, threat actors can bypass authentication mechanisms and gain access to sensitive functionality that should only be available to authenticated users.
The exploitation timeline reveals a concerning pattern. Evidence suggests threat actors began reconnaissance activities against vulnerable Ivanti Connect Secure appliances in late December 2023, with active exploitation confirmed by January 3, 2024. Volexity's investigation revealed that attackers were using these vulnerabilities in combination, first leveraging CVE-2024-21893 to gain initial access, then deploying CVE-2024-21887 to establish persistence and execute arbitrary commands on compromised systems.
Multiple cybersecurity agencies worldwide, including CISA, the FBI, and international Computer Emergency Response Teams (CERTs), have confirmed ongoing exploitation campaigns. Threat intelligence indicates that multiple advanced persistent threat (APT) groups are actively scanning for and exploiting vulnerable Ivanti Connect Secure instances exposed to the internet.
The attack methodology observed by security researchers shows sophisticated techniques including:
CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply mitigations by specific deadlines. This designation underscores the severity and active exploitation of these vulnerabilities.
Who Is Affected
The vulnerabilities affect multiple versions of Ivanti Connect Secure, with thousands of organizations worldwide potentially at risk. According to internet-wide scanning data, approximately 16,000 Ivanti Connect Secure appliances are exposed to the internet and potentially vulnerable to these exploits.
Affected Products and Versions:
Industry Sectors at Elevated Risk:
Organizations across multiple sectors have been confirmed as targets or victims of these exploitation campaigns:
The geographic distribution of vulnerable systems shows significant concentrations in North America, Europe, and Asia-Pacific regions, with the United States hosting the largest number of exposed appliances. However, exploitation attempts have been observed targeting organizations globally without geographic preference.
Organizations that have implemented Ivanti Connect Secure as their primary or backup remote access solution face the most significant risk. The vulnerabilities affect both on-premises deployments and certain cloud-integrated configurations, making the attack surface substantial.
Managed service providers (MSPs) represent a particularly concerning target, as compromise of their Ivanti Connect Secure infrastructure could provide attackers with access to multiple downstream client organizations. Several MSPs have already reported confirmed compromises, leading to notification requirements for potentially hundreds of affected clients.
Technical Analysis
Understanding the technical mechanisms of these vulnerabilities is crucial for security teams assessing their exposure and implementing appropriate defenses.
**CVE-2024-21887: Command Injection Vulnerability**
This vulnerability exists in the web-based management interface of Ivanti Connect Secure. The flaw stems from insufficient input validation in specific API endpoints that process administrative commands. When processing certain requests, the application fails to properly sanitize user-supplied input before passing it to system command interpreters.
The exploitation process follows this pattern:
Proof-of-concept code circulating in underground forums demonstrates that exploitation requires minimal technical sophistication once administrative access is obtained. The commands can be used to:
**CVE-2024-21893: Server-Side Request Forgery (SSRF)**
The SSRF vulnerability represents a more insidious threat as it requires no authentication. The flaw exists in how Ivanti Connect Secure processes certain HTTP requests related to internal service communication. By manipulating specific request parameters, attackers can coerce the appliance into making requests to internal services that should not be accessible externally.
Technical characteristics include:
The SSRF vulnerability allows attackers to:
**Attack Chain Observed in the Wild**
Security researchers have documented complete attack chains that leverage both vulnerabilities sequentially: