Critical Security Flaws Leave Over 13,000 Ivanti Gateways at Risk

February 15, 2024

Several Ivanti Connect Secure and Policy Secure endpoints are still susceptible to a host of security vulnerabilities that were initially revealed over a month ago. These vulnerabilities, identified as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, are of high to critical severity and involve authentication bypass, server-side-request forgery, arbitrary command execution, and command injection issues.

Some of these vulnerabilities have reportedly been exploited by nation-state actors before being leveraged on a larger scale by a diverse set of threat actors. The CVE-2024-22024 vulnerability, for instance, is an XXE flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and ZTA gateways, allowing unauthorized access to restricted resources. Although there are no confirmed active exploitations yet, Ivanti has advised immediate application of available security updates or mitigations when patches are not available.

According to threat monitoring service Shadowserver, internet scans reveal over 3,900 Ivanti endpoints vulnerable to CVE-2024-22024, with most of them being in the United States. There are also approximately 1,000 Ivanti endpoints still vulnerable to CVE-2024-21887, a flaw that enables authenticated admins to execute arbitrary commands on vulnerable appliances by sending specially crafted requests. This vulnerability, along with CVE-2023-46805, an authentication bypass issue, was reportedly exploited by Chinese hackers.

Security researcher Yutaka Sejiyama shared his Shodan scan results, reporting that as of February 15, 2024, there were 13,636 Ivanti servers that had yet to apply patches for the mentioned vulnerabilities. Despite the availability of security updates for these vulnerabilities over a month ago, more than half of the total number of internet-exposed Ivanti servers (24,239) remain unpatched. Sejiyama's research also shows that only 21.1% of servers have patched the CVE-2024-22024 vulnerability, leaving 19,132 servers exposed to the dangerous unauthorized access flaw.

The swift disclosure of flaws affecting Ivanti products over a short period has left administrators with little time to prepare for patch application. This complicates remediation efforts and increases the risk of Ivanti systems being left vulnerable for extended periods, providing threat actors with a large list of potential victims.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.