Ivanti Vulnerability? Ivanti Vulnerability?
“Cybersecurity vulnerabilities should be patched ASAP. As technology advances, we need to keep our tech stacks in line with the latest developments, or else you will be caught unaware..” - Nikesh Arora, CEO of Palo Alto NetworksIn January 2024, a vulnerability was identified in Ivanti products, which may have been exploited as early as December 2023. Ivanti disclosed two vulnerabilities on January 10 in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) and two more on January 31.
As a result, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to disconnect any affected Ivanti products by 11:59 p.m. on Friday, February 2. This was done to ensure that such software was removed from federal systems and to raise awareness among IT and system administrators across the U.S., who should consider similar action even if their organizations are not federally connected.
Ivanti has since released patches for all four Common Vulnerabilities and Exposures (CVEs) for their most used products, and the company recommends performing a workaround for products that don't yet have an available patch.
Palo Alto Networks Unit 42 continues to monitor the situation closely. Read the Unit 42 Threat Brief for the latest information and product mitigations.
![]()
1. Secure your network
Configure firewalls to block attacks against known signatures
Known domains associated with this malicious activity are categorized as malicious by Advanced URL Filtering and DNS Security
![]()
2. Begin targeted threat hunting
Hunt for the existence of suspicious files on Ivanti servers and other endpoints
Look for lateral movement and other indicators
![]()
3. Monitor endpoints
Ensure endpoints protect against post-exploitation activities
Prioritize Cortex XDR alerts from systems which are connected to affected Ivanti device
![]()
4. Scan your attack surface
Identify and secure all external-facing instances of impacted applications
Insecure detections of Ivanti Connect Secure are enabled by default for all Cortex Xpanse customers.
![]()
5. Call for help
Get a no-cost Unit 42 Ivanti Attack Surface Assessment
Engage Unit 42 for incident response assistance 24/7
Palo Alto Networks Is Here To Help
Palo Alto Networks is committed to helping organizations stay secure. To help identify and mitigate any exposure caused by Ivanti vulnerabilities, we are offering a no-cost, no-obligation emergency bundle for your organization:
Unit 42 Ivanti Attack Surface Assessment
This assessment by the Unit 42 team will help to quickly identify any exposure to these vulnerabilities, identify any compromised assets, locate at-risk assets within your organization, and provide a detailed Assessment Report and tailored mitigation recommendations.
AND
Prisma Access 90-Day Offer
If you are looking for an immediate VPN replacement, you can access our cloud-delivered ZTNA 2.0 solution, Prisma Access, free for 90 days with full deployment support included at no extra cost. If you are an existing Prisma Access customer, we can extend your implementation to additional users and sites at no cost for 90 days.
Disclaimer - This offer is promotional and is subject to availability. Due to the rapidly changing nature of this vulnerability, Palo Alto Networks reserves the right to update this offer.
Vulnerabilities in software are increasing in speed and scale. That’s why it’s key to take proactive steps to understand your external facing attack surface in order to take corrective action quickly.
Discover the latest insights into the critical vulnerabilities found in Ivanti's Connect Secure and Policy Secure products and get actionable strategies from Unit 42 security experts to better safeguard your organization.
Palo Alto Networks Product Protection at a Glance
Palo Alto Networks customers receive protections from and mitigations for CVE-2023-46805 and CVE-2024-21887 in the following ways:
| Cortex XDR and XSIAM | Help protect against post-exploitation activities using the multi-layer protection approach. |
|---|---|
| Cortex Xpanse | Customers can identify external-facing instances of impacted applications through the “Ivanti Connect Secure” and “Ivanti Policy Secure” attack surface rules. |
| Next-Generation Firewall with the Advanced Threat Prevention security subscription | Helps block the attacks with best practices via Threat Prevention signatures. Advanced Threat Prevention could proactively detect this vulnerability before the public vulnerability disclosure. |
| Advanced WildFire | Includes added detection for the cryptominers used in these attacks. |
| Advanced URL Filtering and DNS Security | Help categorize as malicious known domains associated with this activity. |
| Advanced URL Filtering | Helps categorize exploit and scanning attempts as Scanning Activity. |
If you need help with a compromise or are looking for a proactive assessment to lower your risk, we can help you.
