Press Release

CISA, U.S. and International Partners Warn of Ongoing Exploitation of Multiple Ivanti Vulnerabilities

Released

February 29, 2024

Related topics:

Cybersecurity Best Practices

Advisory provides guidance for detecting exploitation activity, recommended actions and mitigations, and novel post-exploitation findings

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC), United Kingdom’s National Cyber Security Centre (NCSC), Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment, and New Zealand’s National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT-NZ) released a Cybersecurity Advisory (CSA) today in response to the active exploitation of multiple vulnerabilities within Ivanti Connect Secure and Ivanti Policy Secure gateways.

The authoring organizations and industry partners have observed persistent targeting of these vulnerabilities by a variety of cyber threat actors. These vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) can be used in a chain of exploits to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. In turn, exploitation of these vulnerabilities may allow lateral movement, data exfiltration, web shell deployment, credential theft including domain administrators, and persistent access on a target network.

This joint advisory provides technical details on observed tactics used by these threat actors and indicators of compromise to help organizations detect malicious activity. All organizations using these devices should assume a sophisticated threat actor could achieve persistence and may lay dormant for a period of time before conducting malicious activity. Organizations are urged to exercise due caution in making appropriate risk decisions when considering a virtual private network (VPN), to include whether to continue operating these Ivanti devices.

“Since initial disclosure of these vulnerabilities, CISA and our partners have urgently worked to provide actionable guidance and assist impacted victims. This includes an emergency directive to remove and rebuild vulnerable Ivanti devices to reduce risk to federal systems upon which Americans depend,” said CISA Executive Assistant Director Eric Goldstein. “Today’s joint advisory provides further details based upon industry partnerships, incident response findings and evaluations of the relevant products. Every organization using these products are strongly encouraged to adopt the actions outlined in this advisory.”

“The FBI and our partners are releasing this Cybersecurity Advisory so that organizations are able to protect themselves from malicious actors exploiting their networks,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “Private and public sector entities should follow the guidance included in this advisory to ensure these critical vulnerabilities are mitigated.”

“The continued targeting of widely used security applications and appliances speaks to the determination of cyber threat actors, with government entities and private organizations alike caught in the crosshairs. Implementing effective controls in areas like asset and vulnerability management, multi-factor authentication, and incident response planning are essential to operational resilience amid today's fast-moving threat landscape,” said Randy Rose, VP, Security Operations & Intelligence, Center for Internet Security, Inc.

“We strongly urge all organisations to patch and take other recommended actions to address this vulnerability. We know it is subject to exploitation by malicious actors who use it to bypass authentication mechanisms and access restricted data on affected devices,” said the acting Head of the Australian Cyber Security Centre, Phil Winzenberg. “If your organisation is using these products, it’s crucial that the guidance in this advisory is implemented immediately, in particular I urge critical infrastructure operators to be alert to new risks.”

“We encourage organisations who have not already to take immediate action to mitigate vulnerabilities impacting affected Ivanti devices by following the recommended steps. This is particularly important for those organisations working across critical infrastructure, as we are aware of the active exploitation of some of these vulnerabilities,” said UK NCSC Chief Technology Officer Ollie Whitehouse. “The NCSC and our international partners also urge software manufacturers to embed secure by design principles into their practices to promote a positive security culture and help improve our collective resilience.”

“Today we join our partners across the Five Eyes to urge organizations in Canada and internationally to follow the advice included in today’s joint advisory as quickly as possible. These vulnerabilities can significantly impact organizations’ networks, emphasizing the need for organizations to implement resilient defence-in-depth mitigations and for manufacturers to prioritize secure by design engineering practices,” said Rajiv Gupta, Associate Head, Canadian Centre for Cyber Security.

“This advisory clearly shows that malicious actors are continuing to seek out, and actively exploit, vulnerabilities in commonly used technology and software”, said Rob Pope, Director CERT NZ, a part of New Zealand’s National Cyber Security Centre. “Businesses need to stay alert to these vulnerabilities and immediately follow all steps to mitigate or prevent attacks from happening. We strongly recommend that anyone working in the IT sector sign up for updates from their country’s cyber security agencies to stay ahead of the bad guys.”

To assist organizations with understanding the impacts of this threat, the joint advisory provides key findings from a variety of tests conducted by CISA from an attacker’s perspective.

With our partners, CISA recommends that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices. By aligning to these principles, we will reduce the prevalence and impact of avoidable vulnerabilities and insecure configurations that jeopardize the safety of organizations around the world.

All organizations are urged to review the advisory and implement recommended actions and mitigations.

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram

CISA, U.S. and International Partners Warn of Ongoing Exploitation of Multiple Ivanti Vulnerabilities

CISA and Fauquier County Hold K-12 Active Shooter Exercise

CISA Releases Guide to Enhance Election Security Through Public Communications

CISA, JCDC, Government and Industry Partners Conduct AI Tabletop Exercise

CISA Hosts First Annual Information and Communications Technology Supply Chain Risk Management Task Force Conference

CISA, U.S. and International Partners Warn of Ongoing Exploitation of Multiple Ivanti Vulnerabilities

Related Articles

CISA and Fauquier County Hold K-12 Active Shooter Exercise

CISA Releases Guide to Enhance Election Security Through Public Communications

CISA, JCDC, Government and Industry Partners Conduct AI Tabletop Exercise

CISA Hosts First Annual Information and Communications Technology Supply Chain Risk Management Task Force Conference