Yet another Ivanti VPN critical security flaw is being exploited, so patch now

 Red padlock open on electric circuits network dark red background.
Red padlock open on electric circuits network dark red background.

Ivanti has discovered yet another serious security vulnerability in its VPN for business appliances - and what's worse, it's already being exploited en masse, researchers have found.

Ivanti had already uncovered two high-severity flaws in its Connect Secure products, CVE-2023-46805 and CVE-2024-21886 which were, at the time, mostly exploited by Chinese state-sponsored threat actors. Soon afterwards, reports came out of mass exploitation.

In the weeks following the news, Ivanti released the corresponding patches, and said that during the remediation process it discovered two additional flaws - CVE-2024-21888 and CVE-2024-21893. While one of them wasn’t picked up by hackers in a more significant volume, the other one - 21893, was tested in at least 170 unique exploitation attempts.

Asking for permissions

Now, the newest Shadowserver data is showing mass exploitation, TechCrunch reports. Shadowserver’s chief executive, Piotr Kijevski, told the publication that late last week, the nonprofit observed more than 630 unique IPs attempting to exploit the flaw which allows for remote access.

As was the case with the first two flaws, Ivanti patched these as well. However, that doesn’t necessarily translate to a completely fixed issue, as companies are often slow to patch, leaving themselves open to attacks. Connect Secure, a remote access VPN solution, is allegedly used by more than 40,000 customers, such as banks, healthcare firms, and education organizations.

Shadowserver initially showed some 22,500 instances exposed to the internet. This week, the number is down to 20,800 according to the same source, which means businesses are patching their endpoints, albeit at a slow(ish) pace.

Volexity founder Steven Adair gave an ominous warning, the publication said: “any unpatched devices accessible over the Internet have likely been compromised several times over.”

At press time, it was unknown which threat actors sought to exploit the flaws, but given the recent history, it’s safe to assume that Chinese state-sponsored threat actors are having a field day with Ivanti.

More from TechRadar Pro