More woes for Ivanti as exploit activity rises

A security vulnerability discovered by Ivanti during a separate security investigation is being widely exploited in the wild, security researchers say.

While investigating and patching CVE-2023-46805 and CVE-2024-21887, Ivanti discovered a server-side request forgery (SSRF) bug, CVE-2024-21893.

At the time, it said the zero-day vulnerability had affected “a small number of customers.”

On January 31, Mandiant said it had “identified broad exploitation activity” as attackers tried to exploit the SSRF bug.

On February 5, Rapid7 published a separate analysis of the vulnerability, including an exploit demonstration.

Shadowserver has reported rising exploit volume for the vulnerability.

“We observed CVE-2024-21893 exploitation using '/dana-na/auth/saml-logout.cgi' on Feb 2 hours before @Rapid7 posting and unsurprisingly lots to '/dana-ws/saml20.ws' after publication," Shadowserver posted on X.

"This includes reverse shell attempts and other checks.  To date, over 170 attacking IPs involved”.

The US Cyber and Infrastructure Security Agency (CISA) has directed US agencies to disconnect Ivanti Connect Secure units in service, and not reconnect them until they have been patched and had a factory reset.