Security News > 2024 > February > CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
CISA has ordered U.S. federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs before Saturday.
In response to the "Substantial threat" and significant risk of security breaches posed by compromised Ivanti VPN appliances, CISA now mandates all federal agencies to "Disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks," "As soon as possible" but no later than 11:59 PM on Friday, February 2.
After the devices are removed from the network, the agencies must also keep hunting for signs of compromise on systems linked to, or recently connected to, the disconnected Ivanti devices.
To bring the Ivanti appliances back online, the agencies must export their configuration, factory reset them, rebuild them using patched software versions, reimport the backed-up configs, and revoke all connected or exposed certificates, keys, and passwords.
In the next stage, federal agencies that had impacted Ivanti products on their networks should also assume that all linked domain accounts were compromised and disable joined/registered devices or perform a double password reset for all accounts and revoke Kerberos tickers and cloud tokens.
CISA emergency directive: Mitigate Ivanti zero-days immediately.