Ivanti RCE vulnerability impacts exposed VPN gateways

Home / Threat Intelligence bulletins / Ivanti RCE vulnerability impacts exposed VPN gateways

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Over 16,000 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) security flaw that was recently disclosed by the vendor. The vulnerability, tracked as CVE-2024-21894 (CVSSv3.1 score: 8.2), is a heap overflow issue in the IPSec component of Ivanti Connect Secure versions, with the potential for threat actors to implement denial-of-service (DoS) or achieve RCE by sending specially crafted requests.

Impact

There is a realistic possibility that successful exploitation of CVE-2024-21894 would allow an unauthenticated threat actor to send specially crafted requests to implement a DoS attack and under certain conditions, execution of arbitrary code.

Vulnerability Detection

Ivanti has released a security update for the vulnerability regarding the affected product versions and, as such, previous versions are now vulnerable to potential exploitation.

Affected Products

Ivanti Connect Secure 9.x and 22.x.

Containment, Mitigations & Remediations

It is strongly recommended that the latest Ivanti Connect Secure security patch is applied as soon as possible.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Ivanti occupies a significant portion of the mobile-device-management market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, related products will likely emerge as a prime target. Due to the fact that Ivanti products have become an integral aspect of business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein.

Threat Actor

Although exploitation of CVE-2024-21894 is yet to be attributed to a specific threat actor, it should be noted that state-sponsored cyber units leveraged multiple Ivanti flaws (CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893) earlier this year.

Mitre Methodologies

Mitre Tactic

TA0002 – Execution