TLDR: Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, a popular VPN solution used by organizations worldwide. The vulnerabilities, dubbed CVE-2023-46805 and CVE-2024-21887, allow an attacker to execute remote code without authentication and compromise affected systems. The vulnerabilities are currently being exploited in the wild by a Chinese threat actor known as UTA0178. The threat actor has been deploying webshells, modifying files, and stealing credentials. The majority of the exposed VPN appliances are located in the United States, followed by Japan and Germany. A mitigation method has been provided by Ivanti until a patch is available.
• Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, allowing remote code execution and compromise of affected systems.
• The vulnerabilities are being used in the wild by a Chinese threat actor known as UTA0178.
• Most of the exposed VPN appliances are located in the United States, followed by Japan and Germany.
• A mitigation method has been released by Ivanti until full patches are available.
Two zero-day vulnerabilities have been discovered in Ivanti Secure VPN, a popular VPN solution used by organizations worldwide. The vulnerabilities, dubbed CVE-2023-46805 and CVE-2024-21887, allow an attacker to execute remote code without authentication and compromise affected systems. The vulnerabilities are particularly concerning because they are currently being exploited in the wild by a Chinese nation-state threat actor known as UTA0178.
The first vulnerability, CVE-2023-46805, is an authentication bypass vulnerability that allows an attacker to access restricted resources by bypassing control checks. The second vulnerability, CVE-2024-21887, is a command injection vulnerability that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands.
According to Patrice Auffret, founder and CEO of ONYPHE, a French cyber defense search engine, there are 29,664 Ivanti Secure VPN appliances connected to the internet. Of these, over 40% are located in the US, followed by Japan (14.3%) and Germany (8.48%).
The threat actor UTA0178 has been observed deploying webshells and modifying files to steal credentials and move from system to system. The attacker has been collecting newly harvested credentials on every system and dumping a full image of the Active Directory database. The threat actor also modified the JavaScript loaded by the web login page for the VPN appliance to capture any credentials provided.
To detect and mitigate these vulnerabilities, organizations are advised to perform network traffic analysis, VPN device log analysis, and use the integrity checker tool provided by Ivanti. A mitigation method has been released by Ivanti until full patches are available.