Ivanti has discovered yet another serious security vulnerability in its VPN for business appliances and what’s worse, it’s already being exploited en masse, researchers have found.
Ivanti had already uncovered two highseverity flaws in its Connect Secure products, CVE202346805 and CVE202421886 which were, at the time, mostly exploited by Chinese statesponsored threat actors. Soon afterwards, reports came out of mass exploitation.
In the weeks following the news, Ivanti released the corresponding patches, and said that during the remediation process it discovered two additional flaws CVE202421888 and CVE202421893. While one of them wasn’t picked up by hackers in a more significant volume, the other one 21893, was tested in at least 170 unique exploitation attempts.
Asking for permissions
Now, the newest Shadowserver data is showing mass exploitation, TechCrunch reports. Shadowserver’s chief executive, Piotr Kijevski, told the publication that late last week, the nonprofit observed more than 630 unique IPs attempting to exploit the flaw which allows for remote access.
As was the case with the first two flaws, Ivanti patched these as well. However, that doesn’t necessarily translate to a completely fixed issue, as companies are often slow to patch, leaving themselves open to attacks. Connect Secure, a remote access vpn solution, is allegedly used by more than 40,000 customers, such as banks, healthcare firms, and education organizations.
Shadowserver initially showed some 22,500 instances exposed to the internet. This week, the number is down to 20,800 according to the same source, which means businesses are patching their endpoints, albeit at a slow(ish) pace.
Volexity founder Steven Adair gave an ominous warning, the publication said: “any unpatched devices accessible over the Internet have likely been compromised several times over.”