Today, Ivanti warned of a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to secure their appliances immediately.
The flaw (CVE-2024-22024) is due to an XXE (XML eXternal Entities) weakness in the gateways’ SAML component that lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without requiring user interaction or authentication.
“We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected,” Ivanti said.
“For users of other supported versions, the mitigation released on 31 January successfully blocks the vulnerable endpoints until remaining patches are released,” the company added in a separate advisory.
Threat monitoring platform Shadowserver currently tracks over 20,000 ICS VPN gateways exposed online, with over 6,000 in the United States (Shodan currently tracks over 26,000 Internet-exposed Ivanti ICS VPNs).
Shadowserver also monitors Ivanti Connect Secure VPN instances compromised worldwide daily, with almost 250 compromised devices discovered on Wednesday, February 7.
Ivanti devices under heavy targeting
Ivanti VPN appliances have been targeted in attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection flaws as zero-days since December 2023.
The company warned of a third actively exploited zero-day (a server-side request forgery vulnerability now tracked as CVE-2024-21893) that’s now also under mass exploitation by multiple threat actors, allowing attackers to bypass authentication on unpatched ICS, IPS, and ZTA gateways.
Security patches for product versions affected by the three flaws were released on January 31. Ivanti also provides mitigation instructions for devices that can’t be secured immediately against ongoing attacks or running software versions still waiting for a patch.
Ivanti urged customers to factory reset all vulnerable appliances before patching to block attackers’ attempts to gain persistence between software upgrades.
Additionally, CISA ordered U.S. federal agencies on February 1 to disconnect all vulnerable Ivanti VPN appliances on their networks within 48 hours in response to extensive targeting by multiple threat actors.