CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Ivanti Connect Secure and Policy Secure Vulnerabilities
WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 24-01 in response to observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances by malicious cyber threat actors. This Emergency Directive directs all federal civilian agencies to immediately take specific actions and implement vendor mitigation guidance to these Ivanti appliances. While only binding on Federal Civilian Executive Branch agencies, CISA urges all organizations using these products to urgently implement the mitigations outlined in this Directive.
Last week, Ivanti released information regarding two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, that allow an attacker to move laterally across a target network, perform data exfiltration, and establish persistent system access. CISA has determined an Emergency Directive is necessary based on the widespread exploitation of these vulnerabilities by multiple threat actors, prevalence of the affected products in the federal enterprise, high potential for compromise of agency information systems, and potential impact of a successful compromise.
“The vulnerabilities in these products pose significant, unacceptable risks to the security of the federal civilian enterprise. As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, we must take urgent action to reduce risks to the federal systems upon which Americans depend,” said CISA Director Jen Easterly. “Even as federal agencies take urgent action in response to this Directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this Directive.”
As federal civilian agencies implement this mandate, CISA will assess and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.
For more information CISA Directives, visit Cybersecurity Directives.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.