Advisory January 11, 2024

Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure

Obrela TI Team

8.4.24 | UPDATE

These vulnerabilities along with CVE-2024-21893, is currently exploited by Chinese state-sponsored APT groups to conduct various attacks. Among these groups are UNC5221, UNC3569, UNC5330, and UNC5337.

It is important to upgrade both Ivanti Connect Secure VPN and Ivanti Policy Secure to their latest versions. According to Ivanti a patch is available for Ivanti Connect Secure (versions 9.1R15.3, 9.1R16.3, 22.1R6.1, 22.2R4.1, 22.3R1.1 and 22.4R1.1) and Ivanti Policy Secure (versions 9.1R16.3, 22.4R1.1 and 22.6R1.1). A build is available for all supported versions.



In a recent development that demands immediate attention from the cybersecurity community, two zero-day vulnerabilities have been unearthed in Ivanti Connect Secure (ICS) and Policy Secure. The gravity of the situation is compounded by the active exploitation of these vulnerabilities by suspected China-linked nation-state actors.

Vulnerability Details

  1. CVE-2023-46805 (CVSS score: 8.2): This is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. It allows remote attackers to access restricted resources by bypassing control checks.
  2. CVE-2024-21887 (CVSS score: 9.1): This vulnerability involves a command injection flaw in the web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. Authenticated administrators can send specially crafted requests to execute arbitrary commands on the appliance.

Exploitation and Impact

The threat actors have successfully exploited these vulnerabilities in the wild, affecting less than 10 of the vendor’s customers. The attack involves chaining the two vulnerabilities to achieve unauthenticated command execution on the ICS device. If CVE-2024-21887 is used with CVE-2023-46805, exploitation does not require authentication, enabling threat actors to craft malicious requests and execute arbitrary commands on the system. There is evidence to suggest that the VPN appliance may have been compromised as early as December 3, 2023. Threat intelligence company Volexity attributes the attacks to a hacking group tracked as UTA0178, believed to be a Chinese nation-state actor.

Recommended Actions

  1. Apply Workaround: While patches are under development and expected to be released starting from the week of January 22, 2024, users are strongly advised to apply a workaround immediately to safeguard against potential threats.
  2. Monitor Network Activity: Regularly monitor network traffic for any suspicious activity, especially on devices running Ivanti Connect Secure. Analyze logs on the Connect Secure device for signs of compromise. IoCs will be provided to Ivanti’s affected customers.
  3. External Integrity Checker (ICT): Due to evidence of threat actors attempting to manipulate Ivanti’s internal integrity checker (ICT), it is recommended that all customers run the external ICT as an extra precaution.
  4. Mitigation File: Until patches are available, users can mitigate the zero-days by importing the mitigation.release.20240107.1.xml file, which is accessible to customers via Ivanti’s download portal.