Ivanti warns of yet another zero-day in Connect Secure and Policy Secure products

Ivanti warns of yet another zero-day in Connect Secure and Policy Secure products

Ivanti has released a security advisory warning of two new vulnerabilities in its Connect Secure and Policy Secure products, one of which is being exploited in the wild.

The zero-day flaw in question (CVE-2024-21893) is a server-side request forgery (SSRF) issue that stems from insufficient validation of user-supplied input within the SAML component. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. Successful exploitation of this vulnerability could allow a remote attacker to gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Ivanti has not shared info on the nature of the exploitation, only noting that “the exploitation of CVE-2024-21893 appears to be targeted” and that it expects “a sharp increase in exploitation once this information is public.”

The second vulnerability discovered as part of the ongoing investigation into CVE-2023-46805 and CVE-2024-21887, exploited by the China-linked threat actor tracked as UNC5221/UTA0178, is a privilege escalation flaw (CVE-2024-21888) that could allow a remote user to bypass implemented security restrictions and gain administrative privileges. Currently, there’s no indication that this vulnerability is being exploited in the wild.

Following public disclosure, CVE-2023-46805 and CVE-2024-21887 have come under mass exploitation by other threat actors to drop XMRig cryptocurrency miners as well as Rust-based payloads. Security researchers have also spotted a new version of one of the web shells known as Wirefire (aka Giftedvisitor) leveraged by a Chinese threat actor in attacks targeting Ivanti Connect Secure zero-days. This version was modified to bypass detection mechanisms and to avoid detections by public YARA rules.

In addition, Synacktiv researchers observed threat actors exploiting CVE-2023-46805 and CVE-2024-21887 to deliver a Rust-based malware called “KrustyLoader” to deploy Sliver, a Golang-based cross-platform post-exploitation framework used by malicious actors as an alternative to the Cobalt Strike tool.

Back to the list

Latest Posts

DragonForce ransomware breaches MSPs via recently patched SimpleHelp flaws

DragonForce ransomware breaches MSPs via recently patched SimpleHelp flaws

After breaching the MSP, the attackers utilized SimpleHelp to gather intelligence across client environments.
28 May 2025
Spain dismantles intelligence network behind cyberattacks on critical infrastructure

Spain dismantles intelligence network behind cyberattacks on critical infrastructure

Among the recovered data were personal records tied to millions of citizens, including school records, civil registries, phone logs, and utility billing information.
28 May 2025
Iranian national pleads guilty in major Robbinhood ransomware scheme

Iranian national pleads guilty in major Robbinhood ransomware scheme

The attacks, which began in early 2019, resulted in tens of millions of dollars in damages.
28 May 2025
Popular Posts
Featured vulnerabilities
Privilege escalation in WatchGuard Mobile VPN with SSL for Windows
Low Not Patched | 28 May, 2025
Privilege escalation in dMSA in Microsoft Windows Server
Medium Not Patched | 28 May, 2025
Veritas Desktop Laptop Option update for third-party components
Сritical Patched | 28 May, 2025
Stored cross-site scripting in Bon Toolkit plugin for WordPress
Low Not Patched | 28 May, 2025
Stored cross-site scripting in Weluka Lite plugin for WordPress
Low Not Patched | 28 May, 2025