Remote Authentication Bypass Vulnerability Affects Ivanti ICS and Policy Secure
Key Information
- Vendor
- Ivanti
- Status
- ICS
- IPS
- Vendor
- CVE Published:
- 12 January 2024
Badges
Summary
The vulnerability identified as CVE-2023-46805 is a critical remote authentication bypass vulnerability affecting Ivanti ICS and Policy Secure, allowing a remote attacker to access restricted resources. This vulnerability has been exploited in the wild by a suspected espionage threat actor known as UNC5221, with Mandiant identifying zero-day exploitation as early as December 2023. The threat actor has leveraged custom malware families and post-exploitation tools to maintain access to compromised appliances, indicating deliberate and targeted attacks on high priority targets. Ivanti has released mitigations, and patches are being developed, but the impact of the exploitation is widespread, affecting various organizations globally, including government agencies, defense contractors, technology, banking, finance, and consulting sectors. The threat extends to over 1,700 exploited devices worldwide, and multiple threat actors have been observed with access to the exploit. The urgency to address the vulnerability is highlighted, with recommendations for customers to implement mitigations and apply patches as soon as possible.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-46805 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ICS <= 9.1R18
ICS <= 22.6R2
IPS <= 9.1R18
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
watchTowr Labs - Blog CVE-2023-46805CVE-2024-21887watchTowr Labs - Blog
The epicentre of offensive security expertise and research at watchTowr - watchTowr Labs.
6 months ago
The Hacker News CVE-2023-46805CVE-2024-21887Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery
Ivanti Connect Secure (ICS) devices are under attack! Two critical vulnerabilities are being exploited to deploy the notorious Mirai botnet.
7 months ago
Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation
On Jan. 12, 2024, Mandiant published aĀ blog post detailing two high-impact zero-day vulnerabilities,Ā CVE-2023-46805 andĀ CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and...
8 months ago
EPSS Score
95% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- š„
Vulnerability reached the number 1 worldwide trending spot.
Vulnerability started trending.
Vulnerability published.
First article discovered by Bleeping Computer
- š¾
Exploit exists.
Vulnerability Reserved.