Critical Ivanti Vulnerability Exploited by China-Based Threat Actors

Vulnerability Details

The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability.

Exploitation

Incident responders from Google-owned Mandiant wrote in a report that the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process that it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.

Affected Products

The vulnerability also impacts Ivanti Policy Secure and Ivanti Neurons ZTA gateways when they are generated and left unconnected to a ZTA controller.

Patch Availability

These products don’t have patches available yet, but active exploitation has not currently been observed and exploitation is less likely because Ivanti Policy Secure is not meant to be connected to the internet and ZTA gateways can’t be exploited when deployed in production correction.

Timeline

Ivanti estimates patches for ZTA gateways and Policy Secure will be released on April 19 and April 21, respectively. Pulse Connect Secure, being end-of-life, will not receive a patch for this issue and is already being targeted for active exploitation.

Conclusion

The critical Ivanti vulnerability has been exploited by China-based threat actors, highlighting the importance of timely patching and security measures to prevent remote code execution. It is crucial for organizations to prioritize patching and take necessary steps to protect their systems from the threat.

FAQs

Q: What is the nature of the vulnerability?

A: The vulnerability is a buffer overflow with a limited character space, initially believed to be a low-risk denial-of-service vulnerability.

Q: How was the vulnerability exploited?

A: The threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process that it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.

Q: Which products are affected by the vulnerability?

A: Ivanti Policy Secure and Ivanti Neurons ZTA gateways when they are generated and left unconnected to a ZTA controller are impacted by the vulnerability.

Q: Are patches available for the affected products?

A: Patches for ZTA gateways and Policy Secure will be released on April 19 and April 21, respectively, but Pulse Connect Secure, being end-of-life, will not receive a patch for this issue.

Q: Is active exploitation currently being observed?

A: No, active exploitation has not currently been observed for the affected products, but Pulse Connect Secure is already being targeted for active exploitation.