The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning government agencies to patch recently discovered Ivanti flaws immediately, as they’re being used in the wild to compromise vulnerable endpoints.
CISA’s alert warns Federal Civilian Executive Branch (FCEB) agencies of two flaws: CVE202346805 (authentication bypass), and CVE202421887 (code injection).
The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS), and allow threat actors to run arbitrary commands on the endpoints.
Thousands of victims
Since January 11 this year, a “sharp increase” in attacks was observed, CISA warned. Government agencies don’t seem to be exclusive targets, though, as researchers observed organizations being targeted indiscriminately. Both small businesses and some of the world’s largest organizations, operating in different industries including aerospace, banking, defense, and government, all fell prey so far.
“Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems,” the agency said.
Ivanti is yet to release a patch for the flaws, it was said. In the meantime, it released mitigation measures which include importing an XML file into affected products, thus making necessary reconfigurations.
Furthermore, CISA said businesses should first run an External Integrity Checker Tool to see if their endpoints were compromised. If any signs of foul play are found, the devices need to be disconnected, reset, and then have the XML file introduced. Also, FCEB agencies need to revoke and reissue certificates, reset admin credentials, store API keys, and reset local user passwords.