16,500+ Ivanti Gateways Exposed: Critical Flaw Revealed

Over 16,500 Ivanti Connect Secure and Policy Secure gateways accessible via the Internet are at risk due to a high-severity vulnerability that enables remote code execution (RCE) and denial of service (DoS) attacks.

The vulnerability, identified as CVE-2024-21894, was found in the IPSec component of Ivanti Connect Secure versions 9.x and 22.x. This flaw could lead to the aforementioned attacks through specially crafted requests by unauthenticated users.

The incident was disclosed on April 3, 2024, following which the Shodan search engine registered 29,000 devices online, and the threat monitoring service Shadowserver reported about 18,000 potentially vulnerable instances.

Ivanti strongly advised system administrators to apply updates as soon as possible, despite the absence of signs of active exploitation among clients at that time.

Subsequent checks by Shadowserver showed that about 16,500 devices were indeed vulnerable. The majority of these are located in the United States (4,700), followed by Japan (2,000), the United Kingdom (1,000), Germany (900), France (900), and other countries.

Vulnerabilities in Ivanti products often become entry points for organizations worldwide. Earlier this year, it was revealed that state-sponsored hackers had exploited several vulnerabilities in Ivanti products to deploy malware before the manufacturer became aware of the issues.

A report by Mandiant, published shortly after the vulnerability was discovered, detailed instances of malicious exploitation focused on attacks by Chinese hackers using the SPAWN malware family.

System administrators who have not yet applied the available protective measures and patches for CVE-2024-21894 are strongly urged to follow the manufacturer’s instructions.