New Ivanti RCE flaw may impact 16,000 exposed VPN gateways

Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) flaw the vendor addressed earlier this week.

The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of service (DoS) or achieve RCE by sending specially crafted requests.

Upon disclosure, on April 3, 2024, the internet search engine Shodan showed 29,000 internet-exposed instances, while threat monitoring service Shadowserver reported seeing roughly 18,000.

At the time, Ivanti stated that it had seen no signs of active exploitation in any of its customers but urged system administrators to apply the updates as soon as possible.

Two days later, Shadowserver added CVE-2024-21894 into its scanning capabilities, reporting that about 16,500 instances are vulnerable to the RCE flaw.

Vulnerable Ivanti endpoints worldwide (Shadowserver)

Most of those instances (4,700) are in the United States, with Japan (2,000), the UK (1,000), Germany (900), France (900), China (500), the Netherlands (500), Spain (500), Canada (330), India (330), and Sweden (320) following with significant level of exposure too.

High-risk vulnerabilities in Ivanti products often act as a point of breach for organizations worldwide.

Earlier this year, it was revealed that state-sponsored threat actors leveraged multiple flaws in Ivanti products, namely CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893, while they were zero-days, meaning the vendor didn't know about the flaws and no fixes were available.

This activity was followed by multiple hacking groups exploiting widespread exploitation to deploy custom web shells to backdoor devices.

A report published today by Mandiant dives deeper into high-profile recent bug exploitation cases targeting Ivanti endpoints, focusing on Chinese hackers from five distinct activity clusters and a malware family named 'SPAWN' used in these attacks.

System administrators who have not applied the available mitigations and fixes for CVE-2024-21894 are advised to follow the vendor's instructions in this knowledge base article.