The recent SSRF vulnerability in Ivanti VPN products is being actively exploited by threat actors, according to the Shadowserver Foundation. The attacks target the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA, allowing attackers to access restricted resources without authentication. The exploitation attempts have originated from over 170 unique IP addresses and involve the establishment of a reverse shell. Ivanti has released initial mitigations and has now begun releasing official patches to address the vulnerability. However, threat actors have found ways to bypass the initial mitigation, leading Ivanti to release a second mitigation file.
Last week, cybersecurity firm Rapid7 released a proof-of-concept exploit that combines the SSRF flaw with a previously patched command injection flaw to achieve unauthenticated remote code execution. Additionally, security researcher Will Dormann pointed out that the Ivanti VPN appliances use out-of-date open-source components, leaving them vulnerable to further attacks.
Palo Alto Networks Unit 42 has observed 28,474 exposed instances of Ivanti Connect Secure and Policy Secure in 145 countries, with 610 compromised instances detected in 44 countries. These instances have been targeted by threat actors deploying custom web shells.