U.S. software company Ivanti disclosed that hackers are exploiting two critical-rated vulnerabilities in its widely used corporate VPN appliance, but updates won’t be available until the end of the month.
Ivanti Connect Secure included CVE-2023-46805 and CVE-2024-21887 vulnerabilities. This remote access VPN, formerly Pulse Connect Secure, lets mobile and distant users access company resources online.
Ivanti stated “less than 10 customers” had been affected by the “zero day” vulnerabilities, which it had no time to remedy before being exploited.
Volexity, a cybersecurity provider, observed unusual behavior on one of these customers’ networks in the second week of December. Volexity revealed that hackers chained the two Connect Secure vulnerabilities to execute unauthenticated remote code, enabling them to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”
Volexity has evidence that the customer’s VPN equipment may have been infiltrated as early as December 3 and attributed the assault to UTA0178, a China-backed hacking gang.
Security researcher Kevin Beaumont wrote on Mastodon that there would “likely be many more victims.” Ivanti, no stranger to zero days, maintains that only a few corporate clients are impacted. Beaumont called the two vulnerabilities “ConnectAround,” and a scan showed 15,000 compromised Ivanti devices accessible to the internet worldwide.
Ivanti claims remedies for the two vulnerabilities will be issued staggered from January 22 to mid-February. Ivanti refused to explain why fixes weren’t given promptly to Eltrys. Ivanti does not indicate whether these in-the-wild assaults have caused data exfiltration or who the threat actor is.
U.S. cybersecurity watchdog CISA has also advised Ivanti Connect Secure to address the two vulnerabilities immediately.
Volexity warns that these mitigations will not fix prior breaches.
