Ivanti has alerted its users about two new high-risk vulnerabilities in its Connect Secure and Policy Secure solutions, identified as CVE-2024-21888 and CVE-2024-21893, with CVSS scores of 8.8 and 8.2 respectively. The company has also highlighted that one of these vulnerabilities is currently being exploited.
The vulnerability CVE-2024-21888 is a privilege escalation problem found in the web component of Ivanti Connect Secure (9.x, 22.x) and Policy Secure (9.x, 22.x). This vulnerability could be exploited by an attacker to obtain admin privileges. The other vulnerability, CVE-2024-21893, is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x), and Neurons for ZTA. An authenticated attacker could exploit this vulnerability to gain access to certain restricted resources.
The company warned that the situation is fluid and threat actors could quickly adapt their tactics, techniques, and procedures to exploit these vulnerabilities. “At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” the advisory stated. “Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”
To address CVE-2024-21888 and CVE-2024-21893, Ivanti recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as a temporary workaround.
In early January 2024, Ivanti reported that threat actors were exploiting two other zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways. Recently, researchers from cybersecurity firm Synacktiv published a technical analysis of a Rust malware, named KrustyLoader, that was delivered by threat actors exploiting the above vulnerabilities.