Ivanti warned on Wednesday that hackers are exploiting another previously undisclosed zero-day vulnerability affecting its widely used corporate VPN appliance.
Since early December, Chinese state-backed hackers have been exploiting Ivanti Connect Secure's flaws — tracked as CVE-2023-46805 and CVE-2024-21887 — to break into customer networks and steal information.
Ivanti is now warning that it has discovered two additional flaws — tracked as CVE-2024-21888 and CVE-2024-21893 — affecting its Connect Secure VPN product. The former is described as a privilege escalation vulnerability, while the latter — known as a zero-day because Ivanti had no time to fix the bug before hackers began exploiting it — is a server-side bug that allows an attacker access to certain restricted resources without authentication.
In its updated disclosure, Ivanti said it has observed “targeted” exploitation of the server-side bug. Germany's Federal Office for Information Security, known as the BSI, said in a translated advisory on Wednesday that it has knowledge of “multiple compromised systems.”
The BSI added that the newly discovered vulnerabilities, particularly the server-side bug, "put all previously mitigated systems at risk again." Ivanti confirmed it expects “a sharp increase in exploitation" once specifics of the vulnerability are made public.
Ivanti has not attributed these intrusions to a particular threat group. Cybersecurity companies Volexity and Mandiant previously attributed the exploitation of the initial round of Connect Secure bugs to a China government-backed hacking group motivated by espionage. Volexity also said it had observed additional hacking groups actively exploiting the bugs.
Ivanti updated its count of affected customers to "less than 20." When reached by TechCrunch on Wednesday, Kareena Garg, an agency spokesperson representing Ivanti, would not say how many customers are affected by the new vulnerabilities.
However, Volexity said earlier this month that at least 1,700 Ivanti Connect Secure appliances worldwide had been exploited by the first round of flaws, affecting organizations in the aerospace, banking, defense, government and telecommunications industries, though the number was likely to be far higher.
This is particularly true in light of a CISA advisory released on Tuesday, which warned that attackers had bypassed workarounds for current mitigations and detection methods.
Ivanti’s disclosure of the new zero-day comes on the same day that the company released a patch to protect against the previously disclosed — and subsequently widely exploited — Connect Secure vulnerabilities, albeit a week later than the company had originally planned. Ivanti spokesperson Garg told TechCrunch that the patches also protect against the two new vulnerabilities disclosed on Wednesday.
It’s unclear whether the patch is available to all Ivanti Connect Secure users, as the company previously said that it planned to release the patch on a “staggered” basis starting January 22. Ivanti is now advising that customers “factory reset their appliance before applying the patch to prevent the threat actor from gaining upgrade persistence in your environment.”