Security News > 2024 > January > Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns

Ivanti has finally released the first round of patches for vulnerability-stricken Connect Secure and Policy Secure gateways, but in doing so has also found two additional zero-days, one of which is under active exploitation.

The news comes days after Ivanti, which releases its patches on a staggered schedule, said the first batch of fixes - due last week - was delayed, and many versions remain without official fixes.

"Upon learning of these vulnerabilities, we immediately mobilized resources and the patch is available now via the standard download portal for Ivanti Connect Secure," said Ivanti in an advisory.

CVE-2024-21888: A privilege escalation vulnerability in web component of Ivanti Connect Secure and Ivanti Policy Secure allows a user to elevate privileges to that of an administrator.

CVE-2024-21893: A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure and Ivanti Policy Secure and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

"The security of our customers is our top priority. As part of our ongoing investigation, we discovered two additional vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure. We included a fix for these vulnerabilities and previously identified vulnerabilities in the patch released today, and patches planned for release for additional versions will also include a comprehensive fix. And the patches released on January 31 cover the majority of our customers. We have also provided a new mitigation in the best interest of customers while the remaining patch versions are in development."

News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/31/ivanti_patches_zero_days/