Ivanti has sounded the alarm over a new authentication bypass vulnerability that is affecting its Connect Secure, Policy Secure, and ZTA gateways. The company is urging administrators to take immediate action to secure their appliances from potential exploitation. This flaw, identified as CVE-2024-22024, is due to an XXE (XML eXternal Entities) vulnerability in the SAML component of the gateways. This vulnerability could potentially allow remote attackers to gain unauthorized access to restricted resources on unpatched appliances, even without user interaction or authentication.
Ivanti stated, "We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected." The company has released mitigation measures for all supported versions, which effectively block the vulnerable endpoints until further patches are released.
Threat monitoring platform Shadowserver is currently tracking over 20,000 ICS VPN gateways exposed online, with more than 6,000 located in the United States. Shadowserver also monitors compromised Ivanti Connect Secure VPN instances globally on a daily basis, with almost 250 compromised devices discovered on Wednesday, February 7.
Ivanti VPN appliances have previously been targeted in attacks that exploited the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection flaws as zero-days since December 2023. The company has also warned of a third actively exploited zero-day, a server-side request forgery vulnerability now tracked as CVE-2024-21893, that is currently under mass exploitation by multiple threat actors. This allows attackers to bypass authentication on unpatched ICS, IPS, and ZTA gateways.
Ivanti released security patches for product versions affected by the three flaws on January 31. They also provide mitigation instructions for devices that cannot be immediately secured against ongoing attacks or are running software versions that are still awaiting a patch. Ivanti has advised customers to factory reset all vulnerable appliances before applying patches to prevent attackers from maintaining persistence between software upgrades.
In response to extensive targeting by multiple threat actors, CISA ordered U.S. federal agencies on February 1 to disconnect all vulnerable Ivanti VPN appliances on their networks within 48 hours.