Ivanti Vulnerabilities Overview

In January 2024, a vulnerability was identified in Ivanti products, which may have been exploited as early as December 2023. Ivanti disclosed two vulnerabilities on January 10 in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) and two more on January 31.

As a result, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to disconnect any affected Ivanti products by 11:59 p.m. on Friday, February 2. This was done to ensure that such software was removed from federal systems and to raise awareness among IT and system administrators across the U.S., who should consider similar action even if their organizations are not federally connected.

Ivanti has since released patches for all four Common Vulnerabilities and Exposures (CVEs) for their most used products, and the company recommends performing a workaround for products that don't yet have an available patch.

Palo Alto Networks Unit 42® continues to monitor the situation closely. Read the Unit 42 Threat Brief for the latest information and product mitigations.

How Do You Mitigate the Ivanti Vulnerabilities?

  1. 1. Secure your network

    Configure firewalls to block attacks against known signatures


    Known domains associated with this malicious activity are categorized as malicious by Advanced URL Filtering and DNS Security

  2. 2. Begin targeted threat hunting

    Hunt for the existence of suspicious files on Ivanti servers and other endpoints


    Look for lateral movement and other indicators

  3. 3. Monitor endpoints

    Ensure endpoints protect against post-exploitation activities


    Prioritize Cortex XDR alerts from systems which are connected to affected Ivanti device

  4. 4. Scan your attack surface

    Identify and secure all external-facing instances of impacted applications


    Insecure detections of Ivanti Connect Secure are enabled by default for all Cortex Xpanse customers.

  5. 5. Call for help

    Get a no-cost Unit 42 Ivanti Attack Surface Assessment


    Engage Unit 42 for incident response assistance 24/7

Palo Alto Networks Is Here To Help

Palo Alto Networks is committed to helping organizations stay secure. To help identify and mitigate any exposure caused by Ivanti vulnerabilities, we are offering a no-cost, no-obligation emergency bundle for your organization:

Unit 42 Ivanti Attack Surface Assessment

Unit 42 Ivanti Attack Surface Assessment

This assessment by the Unit 42 team will help to quickly identify any exposure to these vulnerabilities, identify any compromised assets, locate at-risk assets within your organization, and provide a detailed Assessment Report and tailored mitigation recommendations.

AND

Prisma Access 90 Day Offer

Prisma Access 90-Day Offer

If you are looking for an immediate VPN replacement, you can access our cloud-delivered ZTNA 2.0 solution, Prisma Access, free for 90 days with full deployment support included at no extra cost. If you are an existing Prisma Access customer, we can extend your implementation to additional users and sites at no cost for 90 days.

Disclaimer - This offer is promotional and is subject to availability. Due to the rapidly changing nature of this vulnerability, Palo Alto Networks reserves the right to update this offer.

Wendi Whitmore, SVP of Unit 42
Wendi WhitmoreSVP of Unit 42
quote

Vulnerabilities in software are increasing in speed and scale. That’s why it’s key to take proactive steps to understand your external facing attack surface in order to take corrective action quickly.

Wendi WhitmoreSVP of Unit 42

Expert Discussions

Understanding the Ivanti Vulnerabilities

Discover the latest insights into the critical vulnerabilities found in Ivanti's Connect Secure and Policy Secure products and get actionable strategies from Unit 42 security experts to better safeguard your organization.

Ivanti Mitigation Strategies and Expert Recommendations

Ivanti Vulnerability: What You Need to Know
ARTICLE

Ivanti Vulnerability: What You Need to Know

Read more
Emerging threat report thumbnail
THREAT BRIEF

Unit 42 Emerging Threat Report: Multiple Ivanti Vulnerabilities

Read more
Ivanti Attack Surface Assessment thumbnail
DATASHEET

Unit 42 Ivanti Attack Surface Assessment

Download

Palo Alto Networks Product Protection at a Glance

Palo Alto Networks customers receive protections from and mitigations for CVE-2023-46805 and CVE-2024-21887 in the following ways:

Cortex XDR and XSIAM Help protect against post-exploitation activities using the multi-layer protection approach.
Cortex Xpanse Customers can identify external-facing instances of impacted applications through the “Ivanti Connect Secure” and “Ivanti Policy Secure” attack surface rules.
Next-Generation Firewall with the Advanced Threat Prevention security subscriptionHelps block the attacks with best practices via Threat Prevention signatures. Advanced Threat Prevention could proactively detect this vulnerability before the public vulnerability disclosure.
Advanced WildFireIncludes added detection for the cryptominers used in these attacks.
Advanced URL Filtering and DNS SecurityHelp categorize as malicious known domains associated with this activity.
Advanced URL FilteringHelps categorize exploit and scanning attempts as Scanning Activity.

If you need help with a compromise or are looking for a proactive assessment to lower your risk, we can help you.

Contact Unit 42 team