Security News > 2024 > January > Ivanti: VPN appliances vulnerable if pushing configs after mitigation

Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities.

"Customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched," Ivanti said in a new update published on Saturday.

Ivanti ICS and IPS appliances have been targeted in large-scale attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection bugs since at least December.

While the company has yet to release security patches, it has released mitigation measures that should block attack attempts and recovery instructions designed to help admins restore impacted appliances and bring them back into service.

Shadowserver also monitors how many Ivanti Connect Secure VPN instances are being compromised worldwide daily, with over 700 compromised appliances discovered on January 21 alone.

Threat intelligence company Volexity said that one of the attackers actively exploiting the two zero-days-a suspected Chinese state-backed threat group tracked as UTA0178, also monitored by Mandiant as UNC5221-has already backdoored more than 2,100 Ivanti appliances using a GIFTEDVISITOR webshell variant.

News URL

https://www.bleepingcomputer.com/news/security/ivanti-vpn-appliances-vulnerable-if-pushing-configs-after-mitigation/