Security News > 2024 > January > Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887)

Two zero-day vulnerabilities in Ivanti Connect Secure VPN devices are under active exploitation by unknown attackers, Volexity researchers have discovered.

The two security flaws affect all supported versions of Ivanti Connect Secure - formerly known as Pulse Connect Secure - and Ivanti Policy Secure.

CVE-2023-46805 allows attackers to bypass authentication and CVE-2024-21887 is a command injection vulnerability in the devices' web component that allows authenticated attackers to send specially crafted requests and execute arbitrary commands on the appliance.

A subsequent incident response investigation revealed that the attackers got in via the the organization's internet-facing Ivanti Connect Secure appliance, whose logs had been wiped and on which logging had been disabled.

"When combined, these two vulnerabilities make it trivial for attackers to run commands on the system. In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance," Volexity incident responders shared.

"Volexity observed the attacker modifying legitimate ICS components and making changes to the system to evade the ICS Integrity Checker Tool. Notably, Volexity observed the attacker backdooring a legitimate CGI file on the ICS VPN appliance to allow command execution."

News URL

https://www.helpnetsecurity.com/2024/01/11/cve-2023-46805-cve-2024-21887/