Federal agencies have been instructed by the U.S. Cybersecurity Agency (or CISA) to immediately unplug Ivanti VPN appliances owing to the possibility of hostile exploitation resulting from several software deficiencies. Following the publication of an emergency directive last week, CISA has updated it to require that all federal civilian executive branch agencies.

It primarily includes the Securities & Exchange Commission & Homeland Security (SECHS), disconnecting all Ivanti VPN appliances. It happened mainly due to the "serious threat" posed by multiple zero-day vulnerabilities that malicious hackers are currently exploiting. Even though federal agencies often have weeks to fix vulnerabilities, CISA has mandated that Ivanti VPN appliances be disconnected in less than 48 hours.

The emergency directive was updated on Wednesday and states that “Agencies running affected products — Ivanti Connect Secure or Ivanti Policy Secure solutions — are required to perform the following tasks immediately: As soon as possible and no later than 11:59 PM on Friday, February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.”

Hours after Ivanti said that it had discovered a third zero-day vulnerability that was being extensively exploited, CISA issued its warning. According to security experts, since December, at least two of the Ivanti Connect Secure vulnerabilities—tracked as CVE-2023-46805 and CVE-2024-21887—have been exploited by Chinese state-sponsored hackers.

On Wednesday, Ivanti announced that it has found two further vulnerabilities, CVE-2024-21888 and CVE-2024-21893, the latter of which has already been exploited in “targeted” attacks. Before now, CISA reported that it had “observed some initial targeting of federal agencies".

As of Thursday, TechCrunch was informed by Steven Adair, the founder of Volexity, a cybersecurity business, that at least 2,200 Ivanti devices have been compromised. Compared to the 1,700 figure the company recorded earlier this month, there has been a rise of 500; however, Volexity warns that the "total number is likely much higher."

In an update to its critical directive, CISA instructed agencies to keep auditing privilege-level access accounts, monitor authentication or identity management services that might be exposed, and carry out threat hunting on any systems linked to the compromised device even after disconnecting the compromised Ivanti products. Federal agencies do not yet have a deadline from CISA to get Ivanti appliances back online, but it has offered instructions on how to do so.

To get federal agencies back up, Adair told TechCrunch, “CISA has effectively directed them on a method for deploying what would be considered a completely fresh and patched install of VPN devices. This is probably the best course of action if any organization wants to be completely certain that their device is being operated from a known good and trusted state.”

This week, Ivanti released patches for a few software versions impacted by the three actively exploited vulnerabilities. Before this, CISA had issued an advisory alerting users to the possibility that malevolent attackers had circumvented the mitigations released for the first two vulnerabilities. In order to stop hackers from becoming persistent on their network, Ivanti also advised users to factory reset their equipment before applying patches.

Latest Updates