Under Attack: Ivanti SSRF Vulnerability CVE-2024-21893 Targeted by Multitude of Hackers

The widespread exploitation of a vulnerability in Ivanti Connect Secure and Policy Secure servers, identified as CVE-2024-21893, is raising alarms among cybersecurity professionals. This grave flaw, affecting software versions 9.x and 22.x, enables malefactors to circumvent authentication protocols and gain access to restricted resources of the compromised devices.

The initial alert from Ivanti was issued on January 31, when the vulnerability was classified as a “zero-day” due to its limited active exploitation impacting a minor subset of clients.

CVE-2024-21893

Currently, according to the threat monitoring service Shadowserver, malefactors are actively utilizing the vulnerability. Analysts have recorded exploitation attempts from 170 unique IP addresses. The scale of attacks targeting this vulnerability significantly exceeds the activity for other recently addressed Ivanti issues, signaling a clear shift in focus by the attackers.

On February 2, researchers from Rapid7 disclosed a publicly available Proof of Concept (PoC) exploit, which undeniably contributed to an uptick in the number of attacks. Shadowserver notes that methods similar to those published were utilized by malefactors several hours before Rapid7’s report was released. This indicates that hackers had independently discovered ways to exploit CVE-2024-21893 for unrestricted, authentication-free access to Ivanti’s vulnerable points.

To date, researchers have identified nearly 22,500 Ivanti Connect Secure devices accessible from the internet. However, it remains uncertain how many of these are susceptible to the actively exploited vulnerability.

Ivanti’s disclosure of CVE-2024-21893 was accompanied by the release of security updates addressing two other “zero-day” vulnerabilities affecting the same products. These security flaws were exploited by a group of Chinese spies to install web shells and backdoors on compromised devices, with the peak of infections occurring in mid-January.

Given the active exploitation of several critical “zero-day” vulnerabilities, the absence of effective protective measures, and security updates for certain product versions, the Cybersecurity and Infrastructure Security Agency (CISA) has even mandated that all U.S. federal agencies disconnect Ivanti Connect Secure and Policy Secure VPN devices. These devices may only be reconnected to the network after being reset to factory settings and updated to the latest firmware version.

This recommendation extends to private organizations, which should scrutinize the security of their Ivanti systems and the overall integrity of their network environment.