The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive mandating all federal agencies to immediately close two cyber vulnerabilities in widely-used products from software firm Ivanti. The vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were discovered by Ivanti and could allow attackers to gain persistent system access, perform data exfiltration and move laterally across a target network. The directive requires agencies to implement Ivanti’s published mitigation, report to CISA on the presence of the affected products on agency networks, and take additional steps if indications of compromise are found. CISA will submit a report on agency progress and any outstanding issues with closing the vulnerabilities to the White House, Office of Management and Budget, and the Department of Homeland Security by 1 June 2024.
The vulnerabilities were discovered on 10 January, but CISA and Ivanti do not know how extensively they have been exploited. The Ivanti products are used by around 15 federal civilian agencies, and CISA believes the potential exposure on the federal civilian government to be limited. Though the broad threat and potential impact apply mainly to the private sector, the emergency directive also signals to private organisations to mitigate the vulnerabilities.
Sources told Federal News Network that in the year prior to the directive’s issuing, federal agencies had been focused on securing edge devices, so they became stronger in combating the vulnerabilities, even though persistent effort is still necessary. CISA’s executive assistant director for cyber, Eric Goldstein, said that China had perpetrated similar VPN software attacks — which could involve Ivanti products — in the past few years, though he did not specifically attribute this attack to China.