Ivanti publishes urgent warning about new vulnerability

The software company Ivanti has identified yet another new vulnerability in one of its products requiring an immediate patch from users.

In an advisory on Thursday afternoon, the company spotlighted CVE-2024-22024 — a vulnerability affecting Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways.

The vulnerability carries a severity score of 8.3 and “allows an attacker to access certain restricted resources without authentication.”

“We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected,” the company said.

They noted that the vulnerability was found during the “internal review and testing” of their code — leading them to believe that it is not being exploited in the wild.

The issue is yet another chapter in Ivanti’s weeks-long scramble to address vulnerabilities that have been exploited by hackers.

The Cybersecurity and Infrastructure Security Agency (CISA), Ivanti and several security companies, including Mandiant and Volexity, raised alarms about two vulnerabilities in early January that were allegedly being exploited by Chinese state-backed espionage hackers. News of the bugs prompted cybercriminals and others to attempt to exploit them.

CISA officials previously told reporters that there are “around 15 agencies that were using these products” but declined to confirm if any dealt with compromises. The agencies using the tools cover “a wide spectrum… across the breadth of the federal mission,” an official said.

Last week, another two vulnerabilities were discovered affecting the same products, with one of them confirmed to have been used in attacks on Ivanti customers — which include hundreds of government agencies around the world. Researchers at ShadowSever said they have seen exploitation attempts begin on one of the vulnerabilities released last week.

The two new vulnerabilities prompted CISA to order all federal civilian agencies in the U.S. to disconnect Ivanti Connect Secure and Policy Secure products by February 2.

Cybersecurity research firm Censys said that as of January 22, more than 26,000 unique Connect Secure hosts were exposed on the public internet.

Ivanti has released mitigations for the issues but has faced backlash from customers about their decision to stagger the release of patches based on the most popular versions in circulation.

Ivanti released patches for the first two vulnerabilities on Wednesday but noted that patches for other supported versions will still be released on a staggered schedule.

In the advisory on Thursday, Ivanti said the mitigations outlined on January 31 are “effective at blocking this vulnerable endpoint.”

“Customers who applied the patch released on January 31 or 1 February, and completed a factory reset of their appliance, do not need to factory reset their appliances again,” they said of CVE-2024-22024.

Ivanti had a similar fiasco last summer, which led to the infiltration of multiple government agencies in Norway.

Cybersecurity expert Kevin Beaumont, who has been tracking the vulnerabilities and their exploitation, said on the social media site Mastodon that Ivanti’s VPN product is built on old versions of a discontinued tool with “components from a decade ago.”

“Security wise it is held together by string,” Beaumont said. “Governments should not be using it and need to move to another product.”