CISA Emergency Directive to Federal Agencies Regarding Ivanti Zero-Day Exploits

In a recent development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Friday, urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products.

The vulnerabilities, namely an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887), have been subjected to widespread exploitation by multiple threat actors. These flaws empower malicious actors to craft harmful requests and execute arbitrary commands on the affected systems.

Acknowledging a significant increase in threat actor activity since January 11, 2024, Ivanti revealed the potential consequences of successful exploitation. Threat actors could move laterally, perform data exfiltration, and establish persistent system access, ultimately leading to the full compromise of target information systems.

Ivanti plans to release an update to address the flaws in the coming week. In the interim, a temporary workaround has been provided through an XML file, allowing affected products to undergo necessary configuration changes.

CISA is urging organizations using ICS to promptly apply the mitigation measures. They recommend running an External Integrity Checker Tool to identify signs of compromise. If compromise is detected, organizations are advised to disconnect affected systems from networks, reset devices, and import the provided XML file.

Threat intelligence firm GreyNoise reported opportunistic exploitation by bad actors for financial gain. They observed the vulnerabilities being abused to drop persistent backdoors and XMRig cryptocurrency miners, emphasizing the multifaceted threats posed by these actively exploited zero-day flaws.