Hackers have begun mass exploiting a third vulnerability affecting Ivanti’s widely used enterprise VPN appliance, new public data shows.
Last week, Ivanti said it had discovered two new security flaws — tracked as CVE-2024-21888 and CVE-2024-21893 — affecting Connect Secure, its remote access VPN solution used by thousands of corporations and large organizations worldwide. According to its website, Ivanti has more than 40,000 customers, including universities, healthcare organizations, and banks, whose technology allows their employees to log in from outside the office.
The disclosure came not long after Ivanti confirmed two earlier bugs in Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887, which security researchers said China-backed hackers had been exploiting since December to break into customer networks and steal information.
Now data shows that one of the newly discovered flaws — CVE-2024-21893, a server-side request forgery flaw — is being mass exploited.
Although Ivanti has since patched the vulnerabilities, security researchers expect more impact on organizations to come as more hacking groups are exploiting the flaw. Steven Adair, founder of cybersecurity company Volexity, a security company that has been tracking exploitation of the Ivanti vulnerabilities, warned that now that proof-of-concept exploit code is public, “any unpatched devices accessible over the Internet have likely been compromised several times over.”
Piotr Kijewski, chief executive of Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for exploitation, told TechCrunch on Thursday that the organization has observed more than 630 unique IPs attempting to exploit the server-side flaw, which allows attackers to gain access to data on vulnerable devices.
That’s a sharp increase compared to last week when Shadowserver said it had observed 170 unique IPs attempting to exploit the vulnerability.
An analysis of the new server-side flaw shows the bug can be exploited to bypass Ivanti’s original mitigation for the initial exploit chain involving the first two vulnerabilities, effectively rendering those pre-patch mitigations moot.
Kijewski added that Shadowserver is currently observing around 20,800 Ivanti Connect Secure devices exposed to the internet, down from 22,500 last week, though he noted that it isn’t known how many of these Ivanti devices are vulnerable to exploitation.
It’s not clear who is behind the mass exploitation, but security researchers attributed the exploitation of the first two Connect Secure bugs to a China government–backed hacking group likely motivated by espionage.
Ivanti previously said it was aware of “targeted” exploitation of the server-side bug aimed at a “limited number of customers.” Despite repeated requests by TechCrunch this week, Ivanti would not comment on reports that the flaw is undergoing mass exploitation, but it did not dispute Shadowserver’s findings.
Ivanti began releasing patches to customers for all of the vulnerabilities alongside a second set of mitigations earlier this month. However, Ivanti notes in its security advisory — last updated on February 2 — that it is “releasing patches for the highest number of installs first and then continuing in declining order.”
It’s not known when Ivanti will make the patches available to all of its potentially vulnerable customers.
Reports of another Ivanti flaw being mass-exploited come days after the U.S. cybersecurity agency CISA ordered federal agencies to urgently disconnect all Ivanti VPN appliances. The agency’s warning saw CISA give agencies just two days to disconnect appliances, citing the “serious threat” posed by the vulnerabilities under active attack.
