News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. Vulnerabilities in Ivanti gateways actively exploited

Vulnerabilities in Ivanti gateways actively exploited

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

2:00pm, 11 January 2024

TLP Rating: Clear

Vulnerabilities in Ivanti gateways actively exploited

UPDATED: 01/02/24

Ivanti has released an advisory for two vulnerabilities affecting Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways.

The vulnerabilities, tracked as CVE-2023-46805 (high severity) and CVE-2024-21887 (critical severity) allow for authentication bypass and remote command execution. These could give a remote attacker full control of an affected device. 

After the initial advisory, Ivanti has disclosed two further vulnerabilities: CVE-2024-21888 and CVE-2024-21893, which allow for privilege escalation and server-side request forgery, allowing an attacker to access restricted resources without authentication.

What's happening

Systems affected

The vulnerabilities impact all supported versions of Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways.

  • Ivanti Connect Secure (ICS) gateway – versions 9.x and 22.x
  • Ivanti Policy Secure (ICS) gateway – versions 9.x and 22.x

What to look for

How to tell if you're affected

Ivanti provides an integrity checker tool for monitoring changes to the configuration file. Please refer to the Ivanti advisory for details.

Check for the indicators of compromise provided in Volexity's blog.

What to do

Prevention

A patch is now available for versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and ZTA version 22.6R1.3. The patches cover all four vulnerabilities.

The remaining patches for supported versions will still be released on a staggered schedule. Ivanti recommends that all customers factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.

Mitigation

For those running versions without a current patch, Ivanti has provided a mitigation and instructions on how to apply it in their customer advice.

Until patched, Ivanti recommends actively monitoring your devices for malicious activity.

More information

 

If you require more information or further support, submit a report on our website or contact us on 0800 114 115.

Report an incident