What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

UPDATE - Ivanti Zero-Day Vulnerabilities (CVE-2023-46805 and CVE-2024-21887)

January 31, 2024 | 2 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On January 31st, 2024, Ivanti released additional information and security patches for the critical zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887.

The previously disclosed zero-day vulnerabilities are:

If exploited together, these vulnerabilities would allow a remote and unauthenticated threat actor to craft malicious requests and execute arbitrary commands on the system. As the first round of security patches to address these vulnerabilities has now been released, it is critical that organizations apply them immediately. Outstanding versions are expected to receive security patches between late January and February 26, 2024.

Notably, Ivanti states that there is evidence that threat actors are manipulating Ivanti’s Internal Integrity Checker Tool (ICT) to avoid detection, as well as bypassing the initial mitigations. Organizations utilizing the impacted products are heavily encouraged to continuously monitor for signs of compromise and apply new mitigations or patches if available.

eSentire has observed exploitation of CVE-2024-21887. The eSentire Threat Intelligence team is actively investigating these vulnerabilities and real-world attacks to develop new detections.

What we’re doing about it

What you should do about it

Additional information

Exploitation of CVE-2023-46805 and CVE-2024-21887 was initially limited to a single advanced threat actor group, but exploitation has since transitioned to widespread attacks by various groups. This is in line with the eSentire Threat Intelligence team’s assessment made in the January 11th eSentire advisory. It should be noted that some of these threat actors also appear to have the technical capabilities to locate and utilize bypasses for the previously recommended mitigations and detection methods.

Ivanti’s release of security patches today (January 31st) comes simultaneously with the announcement of additional vulnerabilities in the Connect Secure and Policy Secure products (CVE-2024-21888 and CVE-2024-21893).

In Ivanti’s KB notes, there is the mention of cases involving threat actors manipulating the Internal Integrity Checker Tool (ICT) and Ivanti recommends that the External ICT be used instead; however CISA has stated in their blog post from January 30th, that threat actors have subverted the External ICT as well, likely through restoration of the infected device to a clean state following deployment of a webshell. It is possible CISA’s statement may be on an older version of the External ICT.

References:

[1] https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
[2] https://www.cisa.gov/news-events/alerts/2024/01/30/new-mitigations-defend-against-exploitation-ivanti-connect-secure-and-policy-secure-gateways
[3] https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
[4] https://www.esentire.com/security-advisories/ivanti-zero-day-vulnerabilities-cve-2023-46805-and-cve-2024-21887
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46805
[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21887
[7] https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways

View Most Recent Advisories