Security News > 2024 > January > Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)

Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)
2024-01-11 11:35

Two zero-day vulnerabilities in Ivanti Connect Secure VPN devices are under active exploitation by unknown attackers, Volexity researchers have discovered.

The two security flaws affect all supported versions of Ivanti Connect Secure - formerly known as Pulse Connect Secure - and Ivanti Policy Secure.

CVE-2023-46805 allows attackers to bypass authentication and CVE-2024-21887 is a command injection vulnerability in the devices' web component that allows authenticated attackers to send specially crafted requests and execute arbitrary commands on the appliance.

A subsequent incident response investigation revealed that the attackers got in via the the organization's internet-facing Ivanti Connect Secure appliance, whose logs had been wiped and on which logging had been disabled.

"When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance," Volexity incident responders shared.

"Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file on the ICS VPN appliance to allow command execution."


News URL

https://www.helpnetsecurity.com/2024/01/11/cve-2023-46805-cve-2024-21887/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-01-12 CVE-2024-21887 Command Injection vulnerability in Ivanti Connect Secure and Policy Secure
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
network
low complexity
ivanti CWE-77
critical
9.1
2024-01-12 CVE-2023-46805 Improper Authentication vulnerability in Ivanti Connect Secure and Policy Secure
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
network
low complexity
ivanti CWE-287
8.2

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Ivanti 27 0 51 157 75 283