Today, Ivanti warned of a caller authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to unafraid their appliances immediately.
The flaw (CVE-2024-22024) is owed to an XXE (XML eXternal Entities) weakness successful nan gateways' SAML constituent that lets distant attackers summation entree to restricted resources connected unpatched appliances successful low-complexity attacks without requiring personification relationship aliases authentication.
"We person nary grounds of immoderate customers being exploited by CVE-2024-22024. However, it is captious that you instantly return action to guarantee you are afloat protected," Ivanti said.
"For users of different supported versions, nan mitigation released connected 31 January successfully blocks nan susceptible endpoints until remaining patches are released," nan institution added successful a separate advisory.
Threat monitoring level Shadowserver presently tracks over 20,000 ICS VPN gateways exposed online, pinch over 6,000 successful nan United States (Shodan presently tracks over 26,000 Internet-exposed Ivanti ICS VPNs).
Shadowserver also monitors Ivanti Connect Secure VPN instances compromised worldwide daily, pinch almost 250 compromised devices discovered connected Wednesday, February 7.
Ivanti devices nether dense targeting
Ivanti VPN appliances person been targeted successful attacks chaining nan CVE-2023-46805 authentication bypass and nan CVE-2024-21887 bid injection flaws arsenic zero-days since December 2023.
The institution warned of a 3rd actively exploited zero-day (a server-side petition forgery vulnerability now tracked arsenic CVE-2024-21893) that's now besides under wide exploitation by aggregate threat actors, allowing attackers to bypass authentication connected unpatched ICS, IPS, and ZTA gateways.
Security patches for merchandise versions affected by nan 3 flaws were released connected January 31. Ivanti besides provides mitigation instructions for devices that can't beryllium secured instantly against ongoing attacks aliases moving package versions still waiting for a patch.
Ivanti urged customers to factory reset each susceptible appliances earlier patching to artifact attackers' attempts to summation persistence betwixt package upgrades.
Additionally, CISA ordered U.S. national agencies connected February 1 to disconnect each susceptible Ivanti VPN appliances connected their networks wrong 48 hours successful consequence to extended targeting by aggregate threat actors.