Critical authentication bypass and command injection vulnerabilities in Ivanti Connect Secure VPN are being actively exploited in the wild. Threat actors are deploying web shells and maintaining persistence in compromised environments.
Mandiant and Ivanti have disclosed active exploitation of two zero-day vulnerabilities (CVE-2024-21887 and CVE-2024-21888) affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The vulnerabilities allow unauthenticated attackers to bypass authentication and execute arbitrary commands on affected systems. Threat actors are exploiting these vulnerabilities to deploy web shells, establish persistence, and potentially conduct data theft operations. The campaign shows signs of sophisticated threat actor involvement, with evidence of reconnaissance and post-exploitation activities dating back to December 2023. Ivanti has released mitigation guidance and plans to issue patches in a phased approach throughout January 2024.
Two critical zero-day vulnerabilities have been discovered in Ivanti Connect Secure VPN appliances, allowing unauthenticated attackers to bypass authentication mechanisms and execute arbitrary commands. The vulnerabilities are being actively exploited in the wild by sophisticated threat actors.
The vulnerabilities affect all supported versions of Ivanti Connect Secure (9.x and 22.x) and Ivanti Policy Secure products.
The authentication bypass vulnerability (CVE-2024-21887) allows attackers to access restricted resources without valid credentials. When chained with the command injection vulnerability (CVE-2024-21888), attackers can achieve remote code execution on affected systems.
The vulnerabilities pose a critical risk to organizations using Ivanti Connect Secure VPN solutions. Successful exploitation could lead to:
Organizations should take immediate action to protect their environments:
Multiple malicious packages discovered in PyPI and npm repositories executing credential theft and crypto mining payloads. Supply chain attacks leverage typosquatting and dependency confusion techniques to compromise development environments.
A critical authentication bypass vulnerability in ConnectWise ScreenConnect (CVE-2024-1709) is being actively exploited in the wild. The flaw allows attackers to gain unauthorized administrative access and execute remote code on affected systems.
Chinese state-sponsored threat actor Salt Typhoon (aka Bronze Silhouette) conducts persistent intrusion campaign against US telecommunications providers. The group employs sophisticated living-off-the-land techniques and custom malware to maintain long-term access to critical infrastructure.
Large-scale ransomware campaign exploiting VMware ESXi vulnerabilities to encrypt virtual machines and disrupt business operations. Attackers leverage CVE-2021-21974 to compromise unpatched systems globally.