Ivanti is alerting to two new high-severity flaws in its Connect Secure and Policy Secure products, one of which it says has been subject to targeted exploitation in the wild.
The list of vulnerabilities is as follows:
- CVE-2024-21888 (CVSS Score: 8.8) – A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to those of an administrator
- CVE-2024-21893 (CVSS Score: 8.2) – A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA allows an attacker to access certain sensitive resources without authentication
The Utah-based software company said it has found no evidence that customers have been affected by CVE-2024-21888 so far, but acknowledged that “the exploitation of CVE-2024-21893 appears to be targeted.”
He further noted that “the threat actor is expected to change their behavior, and we expect a sharp increase in exploitation once this information becomes public.”
In conjunction with the public disclosure of the two new vulnerabilities, Ivanti has released fixes for Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1 and ZTA version 22.6R1 .3.
“Out of an abundance of caution, we recommend as a best practice that customers factory reset their device before applying the patch to prevent the threat actor from gaining update persistence in their environment,” it reads. “Customers should expect this process to take 3-4 hours.”
As workarounds to resolve CVE-2024-21888 and CVE-2024-21893, users are recommended to import the “mitigation.release.20240126.5.xml” file.
The latest development comes as two other flaws in the same product – CVE-2023-46805 and CVE-2024-21887 – have been widely exploited by multiple threat actors to implement backdoors, cryptocurrency miners, and a Rust-based loader called KrustyLoader.
The US Cybersecurity and Infrastructure Security Agency (CISA), in a new advisory released today, said adversaries are exploiting the two deficiencies to acquire credentials and issue web shells that enable further compromise of corporate networks.
“Some threat actors have recently developed workarounds to current mitigation and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without being detected,” the agency said.
“Sophisticated threat actors have subverted the external integrity checking tool (ICT), further minimizing traces of their intrusion.”