Zero-Day Flaw In VPN Product Widely Exploited
Published:

Ivanti develops a VPN product for remote access that is widely used by organizations around the world, including large corporations and government agencies. On January 10, 2024, the American IT software company Ivanti revealed two vulnerabilities in its VPN products, Ivanti Connect Secure and Ivanti Policy Secure. Both were zero-day vulnerabilities that had allegedly been exploited by Chinese state-sponsored hackers prior to the announcement. In this week’s Cyber Security Insights we will explore what happened and the consequences of the impact.
Immediately after Ivanti’s announcement, proof of concept code for the exploit was made public, resulting in an increase of attacks from various threat actors. Since then, new vulnerabilities have been identified, including two zero-day vulnerabilities on January 31 and February 8. Ivanti initially recommended mitigations for unpatched devices as patches were not available at the time of the initial vulnerability announcement. Patches have since been released.
About the Company Ivanti
Headquartered in the United States, Ivanti provides IT asset management, IT security management, IT service management, and endpoint management to its users on a single platform. In December 2020, Ivanti acquired Pulse Secure LLC and currently has more than 40,000 customers worldwide.
28 474 Exposed Instances Affected
The following two products are affected.
• Ivanti Connect Secure (formerly Pulse Connect Secure): an SSL-VPN solution used by many companies worldwide.
• Ivanti Policy Secure (formerly Pulse Policy Secure): a network access control (NAC) solution which provides network access only to authorized secure users and devices.

Figure 1. Example hardware where Ivanti Connect Secure software is installed. (Ivanti Secure Appliance [ISA] 6000)
Versions 22 and 9 of the products are affected by the vulnerability. De-supported versions have not been evaluated and migration to a supported version is recommended.
Palo Alto Networks reported that between January 26th and 30th, 28,474 exposed instances of Connect Secure and Policy Secure were found in 145 countries.
Vulnerability Discovery
In mid-December 2023, security firm Volexity detected suspicious lateral movement on the network of one of its customers. Upon further analysis it was discovered that an attacker was placing web shells on multiple internal and external-facing webservers – allowing them to be remotely accessed. A subsequent investigation found suspicious activity traced back to the organization’s Ivanti Connect Secure VPN appliance as far back as December 3rd, working closely with Ivanti they determined that the attackers exploited a combination of CVE-2024-21887 and CVE-2023-46805 vulnerabilities.
About the Attackers
The attack discovered by Volexity is believed to be a China based espionage-motivated APT campaign tracked by the company as UTA0178 (Mandiant as UNC 5221).
Zero-Day Vulnerability expanded
The number of breaches increased after the Ivanti vulnerability was announced, and when the PoC was released by a third party, various attacks began, including information theft and malware downloads. The victims were spread across the globe, including government agencies and the military, as well as private companies of various sizes. In addition, Ivanti’s patch for the fix was issued later than planned, which added to the damage. On the 15th of January 2024, Volexity disclosed evidence of mass exploitation and the suspected compromise of at least 1,700 devices. A variant of the web shell was also subsequently identified, in an attempt to avoid detection mechanisms.

Figure 2. Distribution of compromised Ivanti Connect Secure
Additional Vulnerability Announcements
After Ivanti became aware of the vulnerabilities, it began further investigations into its products. In addition to the above vulnerabilities, Ivanti discovered an authentication bypass vulnerability, CVE-2024-21893, and an elevation of privilege vulnerability, CVE-2024-21888, which it disclosed on January 31st. CVE-2024-21893 is also a zero-day vulnerability that has been exploited to deploy new backdoors. On February 8th, CVE-2024-22024 was also announced which can be exploited to access certain restricted resources without authentication. PoC exploits were made public shortly after the vulnerability was announced, with security researchers suggesting that it may already be used to steal account information on servers.

Figure 3. Number of attacks targeting Ivanti (detected by SHADOWSERVER [as of February 13])
Alert by public authorities
The US government agency, CISA, has added three of Ivanti’s vulnerabilities to its list of known and exploited vulnerabilities. It also issued an emergency directive, ED24–01, to federal agencies to implement workarounds for Ivanti’s VPN products due to risk of exploitation. Shortly after the announcement of additional vulnerabilities, the agency also requested more drastic measures, such as disconnecting all instances of Ivanti Connect Secure and Policy Secure from agency networks. Japan’s JPCERT/CC also issued an alert shortly after Ivanti’s announcement, and updates were made as the situation evolved.
Summary
Ivanti develops a VPN product for remote access that is widely used by organizations around the world, including large corporations and government agencies. Recent critical vulnerabilities in VPN products are often announced as zero-days used by APTs. Immediately after the announcement, the attack techniques were shared, affecting unresponsive organizations and users. To ensure that organizations are protected from zero-day attacks, in some cases, emergency mitigation is required to disconnect products from the network, as recommended by CISA. Generally, zero days are difficult to detect however organizations should always have a robust incident response plan and can leverage a variety of techniques and practices for discovering such threats ranging from vulnerability scanning, regular patching, leveraging threat intelligence and monitoring for network and user anomalies.
About our Cyber Security Insights
This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.
Read more Cyber Security Insights here.
Sources:
- Ivanti “CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways”
- VOLEXITY “Ivanti Connect Secure VPN Exploitation: New Observations”
- Ivanti “CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure”
- Ivanti “CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure”
- Palo Alto Networks “Threat Information: Ivanti Connect Secure, Ivanti Policy Secure Vulnerability (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893)”
- VOLEXITY “Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN”
- MANDIANT “Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation”
- VOLEXITY “Ivanti Connect Secure VPN Exploitation Goes Global”
- VOLEXITY “Ivanti Connect Secure VPN Exploitation: New Observations”
- QUOINTELLIGENCE “UNC5221: Unreported and Undetected WIREFIRE Web Shell Variant”
- Censys “The Mass Exploitation of Ivanti Connect Secure”
- BleepingComputer “Hackers exploit Ivanti SSRF fly to deploy new DSLog backdoor”
- SecurityWeek “Exploitation of Another Ivanti VPN Vulnerability Observed”
- CISA “Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities”
Want to know more about how we can help you with your cybersecurity?
Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.