Hackers exploit vulnerability affecting a widely used VPN service
Researchers uncovered a concerning development in Ivanti VPN
New information reveals that hackers are exploiting a third vulnerability in Ivanti’s popular enterprise VPN appliance. Recently, Ivanti, a Utah-based IT software company, disclosed the discovery of two additional security flaws, identified as CVE-2024-21888 and CVE-2024-21893, in Connect Secure, its widely used remote access VPN solution. Ivanti’s customer base of over 40,000 includes universities, healthcare institutions, and banks, enabling their employees to access systems remotely.
Shortly after Ivanti acknowledged two previous bugs in Connect Secure, identified as CVE-2023-46805 and CVE-2024-21887, security experts revealed that Chinese-backed hackers had been using them to infiltrate customer networks and pilfer data since December. Now, it’s been observed that one of the newly found vulnerabilities, CVE-2024-21893, specifically a server-side request forgery flaw, is being widely exploited.
Even though Ivanti has fixed the vulnerabilities, security experts predict that more organizations will be affected as more hacking groups exploit the weakness. Steven Adair, the founder of cybersecurity firm Volexity, which monitors the exploitation of Ivanti vulnerabilities, cautioned that with the public availability of proof-of-concept exploit code; any unpatched web-enabled devices might be compromised.
Piotr Kijewski, CEO of Shadowserver Foundation, a nonprofit that monitors the internet for exploitation, reported that they’ve seen over 630 different IP addresses trying to exploit the server-side flaw. This flaw enables attackers to access data on vulnerable devices.
Compared to last week’s count of 170 unique IPs attempting to exploit the vulnerability, there has been a significant increase. An examination of the new server-side flaw reveals that it can bypass Ivanti’s original mitigation measures for the initial exploit chain involving the first two vulnerabilities, making those pre-patch efforts ineffective.
Kijewski mentioned that Shadowserver was monitoring approximately 20,800 Ivanti Connect Secure devices accessible online, down from 22,500. However, it’s uncertain how many of these Ivanti devices are susceptible to exploitation.
