Malicious hackers have begun mass-exploiting two critical zero-day vulnerabilities in Ivanti’s widely-used corporate VPN appliance. According to cybersecurity company Volexity, the two unpatched flaws in Ivanti Connect Secure, tracked as CVE-2023-46805 and CVE-2024-21887, are being exploited by China state-backed hackers to infiltrate customer networks and steal information. Volexity has evidence of mass exploitation, with over 1,700 Ivanti Connect Secure appliances worldwide affected, impacting organizations in various industries such as aerospace, banking, defense, government, and telecommunications.
State-backed hackers are exploiting two critical zero-day vulnerabilities in Ivanti’s corporate VPN appliance, affecting organizations globally. While patches are pending, administrators are advised to apply mitigation measures to protect their networks.
Mass Exploitation and Impact
Volexity’s findings reveal that the victims of these exploits are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals. The security firm notes that Ivanti VPN appliances were indiscriminately targeted, affecting corporate victims worldwide. However, the number of compromised organizations is likely to be far higher, with more than 17,000 internet-visible Ivanti VPN appliances worldwide, including over 5,000 appliances in the United States.
Confirmation and Response
Ivanti confirmed the mass-hacks and stated that the attacks appear to have started on January 11, a day after the vulnerabilities were disclosed. The company plans to release fixes on a “staggered” basis starting the week of January 22. In the meantime, administrators are advised to apply mitigation measures provided by Ivanti on all affected VPN appliances on their network, including resetting passwords and API keys, and revoking and reissuing any certificates stored on the affected appliances.
No Ransomware Yet
Despite the mass exploitation, there is no evidence of ransomware involvement at this point. However, security researchers anticipate the possibility of ransomware being deployed if proof-of-concept code becomes public. It is worth noting that proof-of-concept code capable of exploiting the Ivanti zero-days already exists.