A critical server-side request forgery vulnerability (CVE-2024-21893), affecting Ivanti Connect Secure and Policy Secure products has been exploited at an alarming scale, raising significant concerns in the cybersecurity community.
The Shadowserver Foundation reported a surge in exploitation attempts, originating from over 170 distinct IP addresses, targeting the vulnerability to establish unauthorized access, including a reverse shell.
CVE-2024-21893 Ivanti Flaw Under Exploitation
The exploit targets CVE-2024-21893, a severe SSRF flaw within the SAML component of Ivanti’s products, enabling attackers to access restricted resources without authentication. Ivanti previously acknowledged targeted attacks on a limited number of customers but warned of escalated risks post-public disclosure.
Following the release of a proof-of-concept exploit by cybersecurity firm Rapid7, the situation worsened. The PoC combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, facilitating unauthenticated remote code execution.
It’s notable that CVE-2024-21893 is an SSRF vulnerability in the open-source Shibboleth XMLTooling library, resolved in June 2023. Security researcher Will Dormann highlighted additional outdated open-source components utilized by Ivanti VPN appliances, further exacerbating the risk landscape.
In response to evolving threats, Ivanti released a second mitigation file and initiated the distribution of official patches as of February 1, 2024, to address all identified vulnerabilities.
The severity of the situation is underscored by reports from Google-owned Mandiant, revealing threat actors’ exploitation of CVE-2023-46805 and CVE-2024-21887 to deploy various custom web shells, including BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.
In addition, Palo Alto Networks Unit 42’s findings revealed a concerning global exposure, with 28,474 instances of Ivanti Connect Secure and Policy Secure detected in 145 countries between January 26 and 30, 2024. Furthermore, 610 compromised instances were identified across 44 countries as of January 23, 2024.
The surge in exploitation proces the critical need for organizations to promptly apply patches and implement strict security measures to prevent the risk posed by such vulnerabilities and PoC exploits.