Security News > 2024 > February > CISA warns against using hacked Ivanti devices even after factory resets
The U.S. Cybersecurity and Infrastructure Security Agency revealed today that attackers who breached Ivanti appliances using one of multiple actively exploited vulnerabilities can maintain root persistence even after performing factory resets.
CISA found that the Ivanti ICT failed to detect compromise while investigating multiple hacking incidents involving hacked Ivanti appliances.
Today, in response to CISA's advisory, Ivanti said that remote attackers attempting to gain root persistence on an Ivanti device using the method CISA found would lose connection to the Ivanti Connect Secure appliance.
Despite the company's assurances, CISA urged all Ivanti customers today to "Consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment".
In other words, CISA warns it may still not be safe to use previously compromised Ivanti devices even after cleaning and performing a factory reset.
On February 1st, in response to the "Substantial threat" and increased risk of security breaches posed by hacked Ivanti VPN appliances, CISA ordered all federal agencies to disconnect all Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours,.