Ivanti warns users of a serious vulnerability in the Connect Secure VPN service and the Policy Secure Gateway that is being actively exploited. The company has released a patch that fixes two zero days.
Also the Digital Trust Center warns for the vulnerabilities that are actively being exploited. It concerns two bugs Ivanti himself also warns about this. The bugs are in Ivanti Point Secure, which is the former Pulse Secure, and in the Ivanti Policy Secure Gateway. The bugs work in combination with each other; if one is merged with the other, an attacker can execute commands on a system without authentication, with admin rights. The bugs are serious; they have CVSS scores of 8.2 and 9.1 and the National Cyber Security Center classifies them as High/High.
Ivanti has wrote a technical advisory about the two bugs. The first is CVE-2023-46805. This is an authentication bypass method in the ICS web component that allows an attacker to reach components on the system by bypassing certain control mechanisms. The second bug in CVE-2024-21887 is a command injection bug in Connect Secure and Policy Secure that could allow an attacker to execute commands on a device without authentication.
So both bugs are actively exploited, but Ivanti does not provide any details about the exploitation. The company says users with Neurons for ZTA gateways are not vulnerable. Neurons for Secure Access are also not vulnerable, but the gateways controlled by them could be.
Both vulnerabilities are in versions 9.x and 22.x of the software. Ivanti has now released a mitigation for the bugs, which it immediately recommends that customers apply. It has that mitigation made available to customers. This is not yet a final patch; a first version will not follow until the week of January 22 and a final version will be released around February 19.