Patch/Configuration Management, Vulnerability Management

Ivanti: Backdoor suspected in exploited VPN products post-mitigation

Ivanti reported that it believes malicious code has been added to exploited Connect-Secure and Policy Secure products that allows a threat actor future access, even after mitigation is applied. 

The Utah-based IT security firm updated its advisory for vulnerabilities affecting the VPN products on Jan. 19. Previously, Ivanti found the vulnerabilities were being actively exploited shortly after disclosing information and mitigation for CVE-2023-46805 and CVE-2024-21887 on Jan. 10, which have CVSS ratings of 8.2 and 9.1, respectively. 

Together, the vulnerabilities allow a threat actor to craft malicious requests and execute arbitrary commands on the system. Cybersecurity firm Volexity said the flaws were being exploited by the China-linked threat group UTA0178 to conduct cyberespionage. 

In addition to providing a timeline of events, Ivanti said it observed a sharp increase of threat activity after disclosing information about the vulnerabilities. It noted that the threat actor targeted “the configuration and running cache of the system, which contains the secrets important to the operation of the VPN,” and inserted malicious code in the form of a web shell.

Ivanti stated, “the purpose of this Web shell is to provide a backdoor to the gateway after the vulnerability is mitigated, for this reason we are recommending customers revoke and replace certificates to prevent further exploitation after mitigation. The mitigation we have provided blocks both vulnerabilities and the Web shell currently being used in the post-advisory activity we are currently tracking.”

The company urged its customers to apply the mitigations immediately and offered additional steps to take, including backing up configuration of the appliance, as well as performing a factory reset or upgrade.

On Thursday, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) added another vulnerability in an Ivanti product to its Known Exploited Vulnerabilities (KEV) catalog, which is a critical authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core.

First published to NIST’s National Vulnerability Database in August, the addition of CVE-2023-35082, which has a CVSS rating of 10, was made to the KEV catalog Jan. 18. The bug allows “unauthorized users access to restricted functionality or resources of the application without proper authentication,” the company posted in its August advisory for MobileIron Core, which has since been patched.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.