More woes for Ivanti as exploit activity rises

A security vulnerability discovered by Ivanti during a separate security investigation is being widely exploited in the wild, security researchers say.

While investigating and patching CVE-2023-46805 and CVE-2024-21887, Ivanti discovered a server-side request forgery (SSRF) bug, CVE-2024-21893.

At the time, it said the zero-day vulnerability had affected “a small number of customers.”

On January 31, Mandiant said it had “identified broad exploitation activity” as attackers tried to exploit the SSRF bug.

On February 5, Rapid7 published a separate analysis of the vulnerability, including an exploit demonstration.

Shadowserver has reported rising exploit volume for the vulnerability.

“We observed CVE-2024-21893 exploitation using ‘/dana-na/auth/saml-logout.cgi’ on Feb 2 hours before @Rapid7 posting and unsurprisingly lots to ‘/dana-ws/saml20.ws’ after publication,” Shadowserver posted on X.

“This includes reverse shell attempts and other checks.  To date, over 170 attacking IPs involved”.

The US Cyber and Infrastructure Security Agency (CISA) has directed US agencies to disconnect Ivanti Connect Secure units in service, and not reconnect them until they have been patched and had a factory reset.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts