Ivanti reveals two new Zero-Day flaws, one of which is being actively exploited

Zero-Day Flaws

Ivanti warns two new, serious shortcomings in its Connect Secure and Policy Secure products, one of which is said to have been targeted in the wild.

The list of vulnerabilities is as follows:

  • CVE-2024-21888 (CVSS Score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user increase his powers to those of an administrator
  • CVE-2024-21893 (CVSS Score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x ) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication

The Utah-based software company said it has so far found no evidence that customers have been affected by CVE-2024-21888, but acknowledged that “the exploitation of CVE-2024-21893 appears to be targeted.”

It further noted that it “expects threat actors to change its behavior and we expect a sharp increase in exploitation once this information is public.”

In addition to publicly disclosing the two new vulnerabilities, Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1, and ZTA version 22.6R1 .3.

“Out of an abundance of caution, as a best practice we recommend that customers factory reset their device before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment,” the report said. “Customers should expect this process to take 3-4 hours.”

As a workaround for CVE-2024-21888 and CVE-2024-21893, users are recommended to import the “mitigation.release.20240126.5.xml” file.

The latest development comes as two other flaws in the same product – CVE-2023-46805 and CVE-2024-21887 – have been widely exploited by multiple threat actors to deploy backdoors, cryptocurrency miners, and a Rust-based loader called KrustyLoader.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says in a new advisory published today that adversaries are exploiting the two flaws to obtain credentials and drop web shells that enable further compromise of corporate networks.

“Some threat actors have recently developed solutions to current mitigation and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection,” the agency said. said.

“Advanced threat actors have subverted the external integrity checking (ICT) tool, further minimizing the traces of their breach.”

#Ivanti #reveals #ZeroDay #flaws #actively #exploited

Notify of
Inline Feedbacks
View all comments
Previous Post
Phishing Attacks

Telegram marketplaces fuel phishing attacks with easy-to-use kits and malware

Next Post
Container Security

RunC flaws allow container escapes, giving attackers host access

Related Posts