Five Eyes agencies warn against active exploitation of vulnerabilities in Ivanti Gateway

Ivanti Connect Secure

The intelligence alliance Five Eyes (FVEY) has issued a new warning for cyber threat actors exploiting known security flaws in Ivanti Connect Secure and Ivanti Policy Secure gateways, noting that the Integrity Checker Tool (ICT) can be tricked into giving a false sense of safety.

“Ivanti ICT is not sufficient to detect compromises and that a cyber threat actor could be able to gain root-level persistence despite performing factory resets,” the agencies said. said.

To date, Ivanti has disclosed five security vulnerabilities affecting its products since January 10, 2024, four of which have been actively exploited by multiple threat actors to deploy malware –

  • CVE-2023-46805 (CVSS score: 8.2) – Authentication bypasses vulnerability in web component
  • CVE-2024-21887 (CVSS score: 9.1) – Command injection vulnerability in web component
  • CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component
  • CVE-2024-21893 (CVSS score: 8.2) – SSRF vulnerability in the SAML component
  • CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component

Mandiant described in an analysis published this week how an encrypted version of malware known as BUSHWALK is placed in a folder excluded by ICT in /data/runtime/cockpit/diskAnalysis.


The directory exclusions were also highlighted this month by Eclypsium, which states that the tool skips a dozen directories from being scanned, allowing an attacker to leave backdoors in any of these paths and still pass the integrity check.

“The safest course of action for network defenders is to assume that an advanced threat actor can deploy rootkit-level persistence on a device that has been reset and left idle for any length of time,” say agencies from Australia, Canada, New Zealand, the United Kingdom . , and the US said.

Ivanti Gateway Vulnerabilities

They also urged organizations to “consider the significant risk of access and persistence of Ivanti Connect Secure and Ivanti Policy Secure gateways by adversaries when determining whether to continue these devices in an enterprise environment.”

Ivanti, in response to the advice, said it is not aware of any cases of successful persistence of threat actors after the implementation of security updates and factory resets. It is also releasing a new version of ICT that it says “provides additional visibility into a customer’s device and all files present on the system.”

#Eyes #agencies #warn #active #exploitation #vulnerabilities #Ivanti #Gateway

Notify of
Inline Feedbacks
View all comments
Previous Post
BIFROSE Linux Variant

New BIFROSE Linux malware variant that uses deceptive VMware domain for evasion

Next Post
Silver SAML Attack

New silver SAML attack bypasses gold SAML defenses in identity systems

Related Posts