After two zero-day vulnerabilities were discovered in Connect Secure, Ivanti would begin sending patches to customers on January 22nd. The staggered schedule is delayed.

Ivanti delays action and fails to keep his promises. The company was actually supposed to distribute patches from January 22nd, but is already behind the staggered schedule. The zero-day was discovered by Volexity researchers almost three weeks ago and has already affected VPNs from several companies. CISA requires companies to submit an inventory of all infected devices.

Deadline missed

Ivanti acknowledged Friday evening that it had missed the deadline and updated its advice regarding “the safety and quality of each individual.” [softwarepatch] Since this is a staggered schedule with successive patches, the delay will immediately affect all other patches. The software company warned that there could be delays in patch releases.

“We now plan to release a patch next week for Ivanti Connect Secure (versions 9.1R17x, 9.1R18x, 22.4R2x and 22.5R1.1), Ivanti Policy Secure (versions 9.1R17x, 9.1R18x and 22.5R1x) and ZTA version 22.6R1x” said Ivanti.

CISA guidelines

The U.S. government’s cybersecurity agency CISA has strict deadlines that are jeopardized by Ivanti’s lack of solutions. CISA’s emergency directive set January 22 as the date for federal agencies to begin implementing solutions.

The CISA guidance highlights the risk, saying that exploiting two vulnerabilities simultaneously could allow hackers to execute arbitrary commands on a vulnerable product. The agency required the removal of compromised products from networks and a report to CISA with an inventory of infected devices. You can read here how you can temporarily solve the problem today while you wait for a patch.