Chinese hackers exploit Ivanti VPN zero days for RCE attacks
Two critically severe zero-day vulnerabilities in devices running Ivanti VPN services are being actively exploited by Chinese nation-state actors for unauthenticated remote code execution, according to Volexity research.
Tracked as CVE-2023-46805 and CVE-2024-21887, the vulnerabilities, with CVSS scores 8.2 and 9.1 respectively, have been discovered in Ivanti Connect Secure (formerly known as Pulse Connect Secure), a remote access VPN solution for remote and mobile users needing access to corporate resources.
“Upon learning of the vulnerability, we immediately mobilized resources and mitigation is available now,” Ivanti said in a security advisory. “We are providing mitigation now while the patch is in development to prioritize the best interest of our customers.”
Vulnerabilities Chained together for unauthenticated RCE
The zero-day was identified by the researchers during the second week of December as they detected suspicious lateral movement on the network of one of Volexity’s Network Security Monitoring service customers. Eventually, the malicious activities were tracked back to the organization’s Internet-facing Ivanti Connect Secure (ICS) VPN appliance.
The researchers discovered that the vulnerabilities have been chained together to effect complete unauthenticated remote code execution. Individually, CVE-2023-46805 is an authentication-bypass vulnerability, while CVE-2024-21887 is a command injection vulnerability.
“When combined, these two vulnerabilities make it trivial for attackers to run commands on the system,” Volexity said in a blog post. “In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.”