US software company Ivanti has acknowledged that hackers are exploiting 2 critical vulnerabilities in its popular VPN product that’s widely used by governments and corporations.
The 2 vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, were discovered in its Ivanti Connect Secure software and Ivanti Policy Secure Gateways. This product, formerly known as Pulse Connect Secure, is a VPN solution that allows users to remotely access corporate resources via the internet.
The company provided mitigation steps for now, indicating that patches for these issues will be available later this month. More specifically, Ivanti said the patches will start being released the week of Jan. 22, running through mid-February.
“Upon learning of the vulnerability, we immediately mobilized resources and mitigation is available now. We are providing mitigation now while the patch is in development to prioritize the best interest of our customers,” Ivanti’s security advisory reads.
“Out of an abundance of caution, we are recommending that all customers run the external ICT. We have added new functionality to the external ICT that will be incorporated into the internal ICT in the future. We regularly provide updates to the external and internal ICT, so customers should always ensure they are running the latest version of each,” Ivanti said.
Researchers from security firm Volexity explained that “when combined, these two vulnerabilities make it trivial for attackers to run commands on the system.” This allowed hackers to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”
According to Volexity, the attack is likely linked to the China-backed hacking group it tracks as UTA0178.
Ivanti said that as of now, it’s only aware of “less than 10 customers” that are impacted by the “zero day” vulnerabilities.
Still, security researcher Kevin Beaumont said there will “likely be many more victims.” Beaumont. He shared scan results indicating that approximately 15,000 Ivanti appliances, potentially affected by the vulnerabilities, are exposed to the internet.