9621 Agnes Crossing, Lake Suzanneview, New Mexico Island 84604-9295.
Ivanti discovers another critical vulnerability in its Zero Secure VPN client. The count now stands at five vulnerabilities in two months, including three zero-day leaks. Ivanti has discovered
Ivanti discovers another critical vulnerability in its Zero Secure VPN client. The count now stands at five vulnerabilities in two months, including three zero-day leaks.
Ivanti has discovered a new vulnerability in the Connect Secure, Policy Secure and ZTA gateways. The manufacturer has logged all the details under CVE-2024-22024. The vulnerability allows authentication to be bypassed and is present in some software versions. This means it is not as critical as the four previous vulnerabilities, including three zero-day bugs, in the last two months.
What’s special, however, is that Ivanti claims to have discovered this vulnerability itself, while watchTowr researchers shared their findings about this leak with the manufacturer on February 2nd. Ivanti talks about colleagues who found the leak.
WatchTowr said: “Today we are pleased that Ivanti has issued an alert for this vulnerability. “We found this comment a bit strange, but maybe we have a new group of colleagues?” The company also said it was “surprised” by the lack of credit, but believes it was done without malicious intent.
These versions are vulnerable:
A patch has been available since January 31st. Anyone who has updated their systems since then is in good hands. Hopefully you did, because Ivanti has had a very tough two weeks.
A zero day has been actively exploited in the Ivanti Connect Secure VPN client since mid-January. As of the end of January, of the 26,000 devices visible online, 492 VPN devices had been hacked. Germany, Italy and the Netherlands make up the top three in Europe. Ivanti has already been criticized for missing the January 22 deadline to release a patch.
At the beginning of February, Murphy surprised Ivanti with two new zero days in Connect Secure. This news coincided with the availability of new patches to eliminate the previous zero days. Ivanti says the January 31 patch would also provide sufficient protection against the new zero-days and urges users to take immediate action. Until customers have applied the patches, the Connect Secure VPN service offers anything but secure connectivity.
Source: IT Daily
As an experienced journalist and author, Mary has been reporting on the latest news and trends for over 5 years. With a passion for uncovering the stories behind the headlines, Mary has earned a reputation as a trusted voice in the world of journalism. Her writing style is insightful, engaging and thought-provoking, as she takes a deep dive into the most pressing issues of our time.
