Just on the day that Ivanti releases patches for two actively exploited vulnerabilities in Connect Secure, two new zero days emerge. All hands are still at work with the VPN service.

Ivanti has good and bad news to report. We’ll start with the good news: Ivanti has deployed patches to address vulnerabilities CVE-2023-46805 and CVE-2024-21887 in its Connect Secure VPN service. These have been causing major problems since December: at least 500 VPN devices are said to have been hacked worldwide, but in Europe this is currently limited to a few devices. Other figures speak of almost 2,000 exploits. It is said that mainly Chinese hackers are attacking Connect Secure like vultures.

Ivanti has already been criticized for missing the January 22 deadline to release a patch. With a delay of more than a week, Ivanti is still rolling it out. Ivanti recommends performing a factory reset before applying the patch.

Murphys Law

A well-known law says that everything that can go wrong will go wrong, and that is now the case with Ivanti. CVE-2023-46805 and CVE-2024-21887 may have been fixed, but two new vulnerabilities have already been discovered: CVE-2024-21888 and CVE-2024-21893. The first vulnerability allows intruders to escalate their privileges on your network, while the second causes a server failure that allows attackers to break in without even having to authenticate.

In other words, CVE-2024-21893 opens the door to your network wide and Ivanti fears this could be the next vulnerability to be actively exploited. The American and German cybersecurity authorities have also published warnings. Ivanti tells TechCrunch that the January 31 patch would also provide sufficient protection against the new zero-days. For customers who have done this, the Connect Secure VPN service offers anything but secure connectivity.