CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits

CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.

The development arrives as the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – have come under widespread exploitation by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system.

The U.S. company acknowledged in an advisory that it has witnessed a “sharp increase in threat actor activity” starting on January 11, 2024, after the shortcomings were publicly disclosed.

In addition, FCEB entities are urged to revoke and reissue any stored certificates, reset the admin enable password, store API keys, and reset the passwords of any local user defined on the gateway.

Cybersecurity firms Volexity and Mandiant have observed attacks weaponizing the twin flaws to deploy web shells and passive backdoors for persistent access to infected appliances. As many as 2,100 devices worldwide are estimated to have been compromised to date.

The initial attack wave identified in December 2023 has been attributed to a Chinese nation-state group that is being tracked as UTA0178. Mandiant is keeping tabs on the activity under the moniker UNC5221, although it has not been linked to any specific group or country.

Threat intelligence firm GreyNoise said it has also observed the vulnerabilities being abused to drop persistent backdoors and XMRig cryptocurrency miners, indicating opportunistic exploitation by bad actors for financial gain.