Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways

Note: CISA will update this Alert with more information as it becomes available.

Updated Feb. 15, 2024:

On Feb. 14, 2024, Ivanti released new software updates for Ivanti Connect Secure and Ivanti Policy Secure. Review Ivanti's updated KB article for more information.  

End of Feb. 15, update

Updated Feb. 9, 2024:

CISA urges organizations to follow the updated guidance—including software updates—that Ivanti has published to their KB article, which includes:

• An newly disclosed XML external entity injection (XXE) vulnerability (CVE-2024-22024) affecting:
  • Connect Secure supported versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2
  • Policy Secure supported versions 22.5R1.1 and ZTA version 22.6R1.3
• A cyber threat actor could exploit CVE-2024-22024 to take control of an affected system. Ivanti’s KB article includes software updates that cover this vulnerability.
• Additionally, on Feb. 8, 2024, Ivanti released software updates for all previously reported Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2024-21888, CVE-2024-21893, CVE-2023-46805, and CVE-2024-21887). Note: According to Ivanti, the Feb. 8 updates replace the earlier Jan. 31 and Feb 1 updates. See the KB article for specific guidance on implementing the updates.

Additionally, CISA has issued version 2 of its Supplemental Direction to its Emergency Directive on Ivanti Vulnerabilities. Although the Supplemental Direction and Emergency Directive are only for FCEB agencies, CISA strongly encourages all organizations to review the guidance and implement it as applicable.

End of Feb. 9 update

Updated Jan. 31, 2024:

CISA urges organizations to follow the updated guidance—including software updates—that Ivanti has published to their KB article, which includes:

• Two additional vulnerabilities in all supported versions (9.x and 22.x) of Ivanti Connect Secure and Policy Secure Gateways:
  • A privilege escalation vulnerability (CVE-2024-21888)
  • A server-side request forgery vulnerability (CVE-2024-21893)
• A cyber threat actor could exploit CVE-2024-21888 and CVE-2024-21893 to take control of an affected system. Ivanti’s KB article includes software updates that cover these vulnerabilities in specific versions of the software as well as mitigations for affected software versions that do not yet have updates.
• Software updates are also available for the previously reported Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887). Note: See the KB article for the specific versions that these updates apply to as well as specific guidance on implementing the updates. Ivanti will publish additional information and software updates to the KB article as these become available.

Additionally, CISA has issued a Supplemental Direction to its Emergency Directive on Ivanti Vulnerabilities. Although the Supplemental Direction and Emergency Directive are only for FCEB agencies, CISA strongly encourages all organizations to review the guidance and implement it as applicable.

End of Jan. 31 update

CISA is releasing this alert to provide cyber defenders with new mitigations to defend against threat actors exploiting Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices (CVE-2023-46805 and CVE-2024-21887).  

Threat actors are continuing to leverage vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways to capture credentials and/or drop webshells that enable further compromise of enterprise networks. Some threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection. CISA is aware of instances in which sophisticated threat actors have subverted the external integrity checker tool (ICT), further minimizing traces of their intrusion.  

If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to—or recently connected to—the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible.  

After applying patches, when these become available, CISA recommends that organizations continue to hunt their network in order to detect any compromise that may have occurred before patches were implemented.  

This guidance supplements CISA’s previous guidance for mitigation and detection, which remains applicable. For previous guidance, see CISA Issues Emergency Directive on Ivanti Vulnerabilities and Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways.