Cyberdudebivash

IVANTI ZERO-DAY CRISIS: Critical Connect/Policy Secure Flaws (CVE-2023-46805 & CVE-2024-21887) Actively Exploited for Unauthenticated RCE

, , , ,
CYBERDUDEBIVASH

IVANTI ZERO-DAY CRISIS: Critical Flaws Actively Exploited for Unauthenticated RCE

Executive Summary

Two critical zero-day vulnerabilities, CVE-2023-46805 (Authentication Bypass) and CVE-2024-21887 (Command Injection), in Ivanti Connect Secure (ICS) and Policy Secure gateways are being actively chained by threat actors to achieve unauthenticated remote code execution (RCE). This allows attackers to take full control of affected systems without credentials. Immediate patching and investigation for compromise are critical.

Introduction

Ivanti’s Connect Secure and Policy Secure gateways are cornerstone appliances for many organizations, providing essential remote access and network control. However, a developing zero-day crisis has turned these tools of security into a massive liability. State-sponsored threat actors and cybercriminals are actively exploiting a combination of two severe vulnerabilities to breach networks, steal data, and establish persistent access. This is not a theoretical threat; this is an active campaign happening now.

Threat Analysis

Vulnerability Breakdown

The attack’s success hinges on chaining two distinct flaws:

  1. CVE-2023-46805 (CVSS Score: 8.2 – High): An authentication bypass vulnerability in the web component. This flaw acts as the key, allowing an attacker to slip past the security guard at the front door and access restricted parts of the system.
  2. CVE-2024-21887 (CVSS Score: 9.1 – Critical): A command injection vulnerability that can be triggered by an authenticated administrator. This flaw allows an attacker who is already inside to execute arbitrary commands on the appliance.

The Attack Chain: A One-Two Punch 

By themselves, each vulnerability is serious. Chained together, they are devastating. Here’s how the attack works:

  1. The attacker first exploits CVE-2023-46805 to bypass all authentication checks on the Ivanti appliance.
  2. Now inside and treated as a trusted user, the attacker immediately exploits CVE-2024-21887 to inject and execute malicious commands with system-level privileges.

This combination grants the attacker unauthenticated remote code execution, effectively giving them complete control of the device.

Active Exploitation in the Wild

Security intelligence firms and CISA have confirmed that multiple threat actors, including the suspected state-sponsored group UNC5221, began exploiting these vulnerabilities before patches were available.

Post-exploitation TTPs (Tactics, Techniques, and Procedures) observed include:

  • Deploying Webshells: Attackers drop sophisticated webshells (like GIFTEDVISITOR) onto compromised devices to maintain persistent access.
  • Data Exfiltration: Stealing credentials and other sensitive information stored on or passing through the gateway.
  • Lateral Movement: Using the compromised Ivanti appliance as a pivot point to move deeper into the victim’s internal network.

Urgent Mitigation and Response Plan

Patching is essential, but it is not sufficient, as your system may already be compromised. Follow this action plan immediately:

  1. Run the Integrity Checker Tool: Before anything else, run Ivanti’s official external Integrity Checker Tool (ICT). This tool is designed to help detect signs of compromise on your appliance.
  2. Apply Patches Immediately: Ivanti has released patches for all affected versions. Prioritize deploying these updates across all vulnerable appliances. Do not delay.
  3. Hunt for Indicators of Compromise (IOCs): Proactively search your logs and network traffic for IOCs released by Ivanti and CISA. Check for unusual outbound connections or modifications to system files.
  4. Factory Reset and Rebuild: Per Ivanti’s recommendation, the safest course of action is to factory reset your appliance before applying the patch to wipe any potential persistence mechanisms left by attackers.

Conclusion

The Ivanti zero-day crisis is a stark reminder that edge network devices are high-value targets for attackers. The combination of an authentication bypass and command injection provides a direct path into the heart of a network. Due to the confirmed active exploitation, immediate and decisive action is required to defend your organization. Assume you have been targeted, verify the integrity of your systems, and apply the necessary patches without delay.

Leave a comment

Design a site like this with WordPress.com
Get started