Ivanti vulnerability timeline
On December 3, Volexity noticed suspicious behavior tied to Ivanti Connect Secure and Ivanti Policy Secure solution products. In the process of doing threat hunting and research, they discovered 2 critical, easy-to-exploit vulnerabilities, as well as evidence of malicious exploitation. The first two CVEs were discovered January 10 (CVE-2023-46805 and CVE-2024-21887). There are at least 30,000 instances of this software across the internet, meaning there are massive opportunities for threat actors to exploit this vulnerability.
Ivanti put out a fixed timeline for organizations to expect patches, although that timeline has been pushed, presumably because of the complexity of the fix itself.
On February 1, two new CVEs were also announced, totaling in four CVEs:
- CVE-2023-46805 — CVSS 8.2/10.
- CVE-2024-21887 — CVSS 9.1/10.
- CVE-2024-21888 — CVSS 8.8/10.
- CVE-2024-21893 — CVSS 8.2/10.
On February 1, CISA, mandated that all federal civilian executive branch agencies disconnect all Ivanti VPN appliances as soon as possible and no later than 11:59PM on Friday February 2, 2024. This is an incredibly rare move by CISA. It points to an acknowledgement that organizations are out of time from an exploitation and risk standpoint and there is a massive amount of potential impact.
Since these vulnerabilities are relatively easy to exploit, threat actors can have a lot of impact very quickly. Given the nature of these exploited products, they tend to be in the center of everything within an organization. This gives threat actors a lot of optionality in terms of next steps after exploit.
This is an unprecedented move by CISA, and even if you aren’t a government agency, organizations should consider CISA’s advice as relevant in any industry. It is a strong indicator of the massive amount of potential risk.