News

Ivanti warns again about zeroday in Connect Secure VPN

By admin
Spread the love

Ivanti has released a patch for two new vulnerabilities in its Connect Secure VPN. Attackers are actively exploiting one of those bugs, says the company, which also released an emergency patch earlier this month.

Ivanti warns in a blog post for two vulnerabilities in Connect Secure and in Policy Secure Gateways. Those are a privilege escalation bug that is tracked as CVE-2024-21888 and a server side request forgery, CVE-2024-21893. According to the company, the first is not actively abused, but the second is. The forgery bug makes it possible to read certain protected information without authentication.

Ivanti warns that ‘a small number of customers’ are affected by the bug, but does not share any further information about the specific exploitation. The company expects that the attackers will soon exploit more systems now that the information has been made public.

It is the second time in a short time that Ivanti has been hit by a zero day. This also happened earlier this month. Ivanti discovered the new bugs while investigating the previous zero days, but the company does not say whether the two are linked.

Ivanti has released a patch. These are versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1 for Connect Secure and 22.6R1.3 for the ZTA cloud package. Ivanti recommends that customers reset their gateways to factory settings before applying the patch to ensure that attackers do not lose their persistence.

You might also like
News

Android 14 beta brings support for a desktop mode

News

Good news for TSMC: its 3nm node will take flight in 2024 thanks to the push of these…

News

The most boring technology of the 21st century: Intel has only grown 5% since 2000

News

Google Password Manager can start sharing passwords with partners or children

News

PlayStation 5 beta update improves audio from DualSense controller

News

Rumor: Android 15 puts apps in ‘edge-to-edge’ mode by default