Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities

March 1, 2024

The Five Eyes intelligence alliance, a coalition of intelligence agencies from five countries, has issued a joint cybersecurity advisory. The advisory warns of threat actors exploiting known vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.

The advisory provides details about the exploitation in the wild of Connect Secure and Policy Secure vulnerabilities CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Various threat actors are reportedly chaining these vulnerabilities to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.

The advisory from the Cybersecurity and Infrastructure Security Agency (CISA) also warns that the Ivanti Integrity Checker Tool may not be sufficient to detect a compromise. Government experts have reported that the exploitation of these flaws can permit threat actors to maintain root-level persistence. The advisory states, “The advisory describes cyber threat actor exploitation of multiple previously identified Connect Secure and Policy Secure vulnerabilities—namely CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—which threat actors can exploit in a chain to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.”

The advisory also includes mitigations and indicators of compromise (IOCs). It further describes two high-severity vulnerabilities that the software firm has addressed.

The advisory encourages network defenders to assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised. It also advises them to hunt for malicious activity on their networks using the detection methods and IOCs within the advisory, to run Ivanti’s most recent external ICT, and to apply available patching guidance provided by Ivanti as version updates become available.

In response to the joint advisory and its findings, Ivanti has published an update stating that technical findings observed in CISA’s lab have not been observed in real-world scenarios or considered viable in live customer environments. CISA and other government agencies suggest that defenders utilize Ivanti’s recently released external Integrity Checker Tool (ICT), made available on 27th February.

Ivanti and Mandiant released findings regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that are being monitored, even though they have not been deployed successfully in the wild.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.