Ivanti vulnerabilities are being exploited widely, CISA says in emergency directive

Editor's note: Story updated 4:15 p.m. Eastern, January 19, with comments from CISA official.

Civilian agencies across the U.S. government are being ordered to immediately patch two vulnerabilities affecting a popular tool from IT company Ivanti after the nation’s top cybersecurity watchdog warned of widespread exploitation.

The Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm on Friday about CVE-2023-46805 and CVE-2024-21887 — two bugs affecting Ivanti Policy Secure and Ivanti Connect Secure.

The two vulnerabilities allow hackers “to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”

“CISA has determined these conditions pose an unacceptable risk” to federal civilian agencies “and require emergency action,” the agency said.

CISA cited “widespread exploitation of vulnerabilities by multiple threat actors, the prevalence of the affected products in the federal enterprise, the high potential for a compromise of agency information systems, the impact of a successful compromise, and the complexity of the proposed mitigations.”

The agency noted that it plans to work with agencies on implementing the directive. Administrators must implement mitigations outlined by Ivanti immediately or no later than Monday at 12 p.m. Eastern time.

In a press briefing on Friday afternoon, a senior CISA official said the agency has “observed some initial targeting of federal agencies” and is investigating each situation.

The official explained that there are “around 15 agencies that were using these products” but declined to confirm if any dealt with compromises. The agencies using the tools cover “a wide spectrum … across the breadth of the federal mission,” the official said.

So far, CISA has seen hackers use the vulnerability to deploy web shells — snippets of code that allow an attacker to maintain access to a device.

CISA would not officially attribute the campaign to hackers connected to the Chinese government, but the official said the agency was aware of cybersecurity industry reports about a potential connection.

The official noted that these same Ivanti devices were targeted by Chinese government hackers more than two years ago, and that campaign prompted an effort last year to remove or remediate edge devices exposed to the internet.

The official reiterated that agencies have been urged to run their own checks to see if there are indications of compromise.

CISA Director Jen Easterly said that organizations outside the federal government should take heed of the warning, too. The risks “extend to every organization and sector using these products,” she said. “We strongly urge all organizations to adopt the actions outlined in this Directive.”

The emergency directive comes nine days after Ivanti warned that at least 10 of its customers were dealing with attacks traced back to the two vulnerabilities, which allows a hacker to send commands to a device and "access restricted resources by bypassing control checks.”

Thousands vulnerable

Since the initial advisory was released on January 10, researchers have seen a sharp increase in the number of state-backed and criminal groups now exploiting the vulnerability. Researchers at Volexity discovered the vulnerability after responding to an incident in December.

Experts at research firm Greynoise saw hackers deploying cryptominers by leveraging the bugs.

Overall, more than 1,700 devices have been exploited worldwide since the IT giant notified the public about the issue, researchers at Volexity said on Monday.

Researchers at Shadowserver shared scans showing 6,809 Ivanti instances vulnerable to CVE-2023-46805. The U.S. led the way with more than 1,500 vulnerable devices while China, France and Germany also had hundreds of exposed instances. For CVE-2024-21887, other researchers found nearly 9,000 vulnerable devices around the world.

Ivanti has released a list of ways customers can mitigate the vulnerabilities while they work on a patch for both issues. Patches will be released on a staggered schedule based on the version of the tool a customer has, with the first coming out in the week of January 22. The last version will come out the week of February 19.

Ivanti explained that it is releasing the patches on a staggered timeline based on the versions with the highest number of installs.

Easterly said agencies “must take urgent action to reduce risks to the federal systems upon which Americans depend.”

CISA will provide a template for how agencies should report their compliance with the directive. They also plan to identify potential compromises and notify partners.

By June 1, 2024, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer on the directive’s current status and any outstanding issues.