Ivanti Connect Secure and Policy Secure Zero-day

Summary

Ivanti has released information regarding zero-days being exploited for Connect Secure and Policy Secure that allows remote attackers execute arbitrary commands on targeted gateways.

CVE-2023-46805 CVSS 3.1, 8.2: authentication bypass vulnerability in the gateways web component that allows threat actors to access restricted resources done by evading security checks.

CVE-2024-21887 CVSS 3.1, 9.1: command injection vulnerability, authenticated administrators can executed arbitrary commands on vulnerable devices by sending request that were altered.

Combining both CVEs by the threat actor allows the possibility to send those requests that were altered without any authentication. This combination has been exploited in the wild. This also allows to bypass the MFA authentication.

Security recommendations

At this moment all products are vulnerable to this vulnerability. Ivanti has not released any patches but has proved a mitigation option here. Ivanti says that patches will be coming 22 of January and 19 of February.