In an unprecedented move, the US government’s cybersecurity agency CISA, mandated that all federal civilian executive branch agencies disconnect all Ivanti VPN appliances within 48 hours. This rare occurrence came after four critical CVEs were documented.

Casey Ellis, Bugcrowd Founder and Chief Strategy Officer, broke down the situation on the latest Bugcrowd Security Flash. Here’s a quick summary of what is currently happening.

Ivanti vulnerability timeline

On December 3, Volexity noticed suspicious behavior tied to Ivanti Connect Secure and Ivanti Policy Secure solution products. In the process of doing threat hunting and research, they discovered 2 critical, easy-to-exploit vulnerabilities, as well as evidence of malicious exploitation. The first two CVEs were discovered January 10 (CVE-2023-46805 and CVE-2024-21887). There are at least 30,000 instances of this software across the internet, meaning there are massive opportunities for threat actors to exploit this vulnerability.

Ivanti put out a fixed timeline for organizations to expect patches, although that timeline has been pushed, presumably because of the complexity of the fix itself.

On February 1, two new CVEs were also announced, totaling in four CVEs:

CISA mandate

On February 1, CISA, mandated that all federal civilian executive branch agencies disconnect all Ivanti VPN appliances as soon as possible and no later than 11:59PM on Friday February 2, 2024. This is an incredibly rare move by CISA. It points to an acknowledgement that organizations are out of time from an exploitation and risk standpoint and there is a massive amount of potential impact.

Since these vulnerabilities are relatively easy to exploit, threat actors can have a lot of impact very quickly. Given the nature of these exploited products, they tend to be in the center of everything within an organization. This gives threat actors a lot of optionality in terms of next steps after exploit.

This is an unprecedented move by CISA, and even if you aren’t a government agency, organizations should consider CISA’s advice as relevant in any industry. It is a strong indicator of the massive amount of potential risk.

Next steps for security leaders

Given the amount of attention these vulnerabilities have received, it is safe to assume if you have these Ivanti products in your environment, you’ve probably been compromised. Organizations should confirm whether or not these products exist in their environment (keeping in mind that they could exist as shadow IT).
Next, organizations should start proactive threat hunting. Security leaders should talk to IT teams that manage these products and understand the cost of disconnecting these products, implementing a back-up access plan for those who regularly rely on a VPN.
As times of crisis calm down, security leaders should assess how to minimize exposure from exploits like these in the future. One tip is to be sure your team has threat hunting as a skill set, so you can quickly identify if your environment is exploited.
From a product perspective, organizations can lean on crowdsourced security testing and the crowd to help them identify critical vulnerabilities in the software development lifecycle, catching them before they become bigger issues and building confidence in the market.