The Shocking Truth about the Latest Ivanti RCE Vulnerability: 16,000 VPN Gateways at Risk!


    There are an estimated 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet, which are likely susceptible to a recently addressed remote code execution (RCE) flaw. This vulnerability, tracked as CVE-2024-21894, is a high-severity heap overflow within the IPSec component of Ivanti Connect Secure 9.x and 22.x. It could potentially allow unauthenticated users to cause denial of service (DoS) or achieve RCE by sending specifically crafted requests.

    On April 3, 2024, after the flaw was disclosed, the internet search engine Shodan registered 29,000 publicly accessible instances, while threat monitoring service Shadowserver reported approximately 18,000. In response, Ivanti has urged its customers to apply the necessary updates as soon as possible, stating that there have been no signs of active exploitation thus far.

    However, as of April 5, Shadowserver has added CVE-2024-21894 to its scanning capabilities, revealing that around 16,500 instances are still vulnerable to this RCE flaw.

    Vulnerable Ivanti endpoints worldwide
    Vulnerable Ivanti endpoints worldwide (Shadowserver)

    The United States has the highest number of these vulnerable instances with 4,700, followed by Japan (2,000), the UK (1,000), Germany (900), France (900), China (500), the Netherlands (500), Spain (500), Canada (330), India (330), and Sweden (320). These numbers indicate a significant level of exposure worldwide.

    Ivanti products have been known to have high-risk vulnerabilities, often leading to breaches in organizations globally. In fact, earlier this year, it was discovered that state-sponsored threat actors utilized several flaws in Ivanti products, including CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893, which were classified as zero-day vulnerabilities. This means that the vendor was unaware of the flaws, and there were no available fixes.

    In addition, multiple hacking groups have exploited these vulnerabilities to deploy custom web shells in order to backdoor devices. Mandiant, which published a report today on high-profile cases of bug exploitation targeting Ivanti endpoints, delved deeper into the attacks, focusing on Chinese hackers from five different activity clusters and a malware family named ‘SPAWN’ that was used in the exploits.

    To protect against these threats, system administrators are strongly advised to follow Ivanti’s instructions in this knowledge base article and apply the necessary mitigations and fixes for CVE-2024-21894.

    Latest articles

    Related articles

    Leave a reply

    Please enter your comment!
    Please enter your name here