In a concerning development, hackers have begun mass exploiting a third vulnerability in Ivanti’s widely used enterprise VPN appliance. Ivanti, a provider of remote access VPN solutions with over 40,000 customers worldwide, confirmed the discovery of two security flaws, CVE-2024-21888 and CVE-2024-21893, last week.
These vulnerabilities, affecting the Connect Secure VPN solution, were disclosed after Ivanti acknowledged two earlier bugs that China-backed hackers had been exploiting since December.
The newly identified flaw, CVE-2024-21893, classified as a server-side request forgery flaw, is now being actively exploited on a larger scale. Despite Ivanti issuing patches for these vulnerabilities, security researchers anticipate a broader impact as more hacking groups leverage the flaw. Steven Adair, founder of cybersecurity company Volexity, warned that with proof-of-concept exploit code publicly available, any unpatched devices accessible over the internet are likely compromised.
Data reveals a significant increase in exploitation attempts, with over 630 unique IPs observed by the Shadowserver Foundation attempting to exploit the server-side flaw. Piotr Kijewski, CEO of the Shadowserver Foundation, noted the rise from 170 unique IPs last week. The server-side flaw allows attackers to gain access to data on vulnerable devices and can bypass Ivanti’s original mitigation for the initial exploit chain involving the first two vulnerabilities.
While Ivanti has acknowledged targeted exploitation of the server-side bug aimed at a limited number of customers, it has not provided specific details on the mass exploitation. Reports suggest that around 20,800 Ivanti Connect Secure devices are currently exposed to the internet. This number is down from 22,500 last week, though the vulnerability status of these devices is unknown.
It remains unclear who is behind the mass exploitation, but security researchers previously attributed the exploitation of the initial vulnerabilities to a China government–backed hacking group engaged in likely espionage.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a directive ordering federal agencies to urgently disconnect all Ivanti VPN appliances, citing the serious threat posed by the vulnerabilities actively under attack. Ivanti continues to release patches to customers, prioritizing the highest number of installs first.
The security advisory, last updated on February 2, does not specify when patches will be available for all potentially vulnerable customers, raising concerns about the ongoing risk of exploitation.