The IT Nerd

Ivanti isn’t have a great new year so far. Hot off the heels of this news, comes news that the company has confirmed that hackers are exploiting two critical-rated vulnerabilities affecting its widely-used corporate VPN appliance. But the news is actually worse than that. Apparently there are no patches available and the vulnerabilities are being used by state sponsored actors to pwn companies.

Yikes!

Here’s the details:

Ivanti said the two vulnerabilities — tracked as CVE-2023-46805 and CVE-2024-21887 — were found in its Ivanti Connect Secure software. Formerly known as Pulse Connect Secure, this is a remote access VPN solution that enables remote and mobile users to access corporate resources over the internet. Ivanti said it is aware of “less than 10 customers” impacted so far by the “zero day” vulnerabilities, described as such given Ivanti had zero time to fix the flaws before they were maliciously exploited.

So according to the company, “less than 10 customers” have been impacted by this that they are aware of. Meaning that there could be way more who are impacted and either don’t know that they have been pwned, or haven’t told Ivanti that they got pwned.

That’s not good.

What’s even worse is that patches for the two vulnerabilities will be released on a staggered basis starting the week of January 22 and running through mid-February. But companies should follow their mitigation guidance in the meantime. Plus the U.S. cybersecurity agency CISA has also published an advisory on this. But you have to ask why Ivanti is waiting to roll out patches for what is clearly a today problem? I don’t know and the company won’t say. That has to be a major concern and perhaps push you to look at some other VPN or remote access solution.

This entry was posted on January 11, 2024 at 3:25 pm and is filed under Commentary with tags Ivanti. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.