CISA’s Urgent Call: Mitigate Ivanti Zero-Day Threats Now

The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has urgently issued a directive, urging Federal Civilian Executive Branch (FCEB) agencies to mitigate the effects of two actively exploited zero-day vulnerabilities in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS).

The warning comes in light of two vulnerabilities—an authentication bypass (CVE-2023-46805, CVSS score: 8.2) and a code injection flaw (CVE-2024-21887, CVSS score: 9.1)—being widely exploited by various malefactors. These flaws allow an attacker to craft malicious requests and execute arbitrary commands within the system.

Kansas State University cyberattack

Ivanti acknowledgedobserved a sharp increase in threat actor activity starting on January 11,” following the public disclosure of these vulnerabilities. Successful exploitation enables a cybercriminal to perform lateral movement, data theft, and maintain persistent access to the system, leading to the complete compromise of targeted information systems.

Ivanti, expected to release an update to rectify these vulnerabilities next week, has provided a temporary workaround through an XML file that can be imported into the affected products to make the necessary configuration changes.

CISA encourages organizations using ICS to apply protective measures and run an external integrity verification tool to detect signs of compromise, and in the event of detection, disconnect them from networks and reboot the device, followed by importing the XML file.

Furthermore, FCEB organizations are strongly advised to revoke and reissue any stored certificates, reset the administrator password, preserve API keys, and reset the passwords of any local user defined on the gateway.

Cybersecurity firms Volexity and Mandiant have observed attacks exploiting these vulnerabilities to deploy web shells and backdoors for persistent access to infected devices. It is estimated that to date, approximately 2,100 devices worldwide have been compromised.

The initial wave of attacks was recorded in December 2023. Since then, numerous new groups, in addition to the suspected Chinese state hackers (UTA0178 or UNC5221), have joined in the active exploitation of these vulnerabilities.