Wednesday, April 30, 2025
HomeCVE/vulnerabilityCISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Published on

SIEM as a Service

Follow Us on Google News

Threat actors target and abuse VPN flaws because VPNs are often used to secure sensitive data and communications, making them valuable targets for exploitation. 

By exploiting the VPN flaws, threat actors can gain unauthorized access to networks, intercept confidential data, and launch various cyber attacks.

CISA (The Cybersecurity and Infrastructure Security Agency), along with the following partners, recently warned that hackers are actively exploiting multiple vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) in Ivanti VPN:-

- Advertisement - Google News
  • Federal Bureau of Investigation (FBI)
  • Multi-State Information Sharing & Analysis Center (MS-ISAC)
  • Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
  • United Kingdom National Cyber Security Centre (NCSC-UK)
  • Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment
  • New Zealand National Cyber Security Centre (NCSC-NZ)
  • CERT-New Zealand (CERT NZ)

CISA Warns Hackers Exploiting Ivanti VPN

The Ivanti gateways have serious vulnerabilities impacting all supported versions (9.x and 22.x), enabling attackers to bypass authentication, execute commands, and evade detection.

CISA found Ivanti’s ICT systems failed to detect the compromise, due to which they urged network defenders to assume credential compromise and perform the following tasks:-

  • Hunt for malicious activity
  • Run updated ICT
  • Apply patches
Ivanti Domain Join Configuration with ‘Save Credentials’ (Source – CISA)

Organizations should be wary of rootkit-level persistence even after factory resets, as sophisticated threat actors may remain undetected for extended periods. 

Due to significant risks, it’s strongly advised to reconsider using Ivanti Connect Secure and Policy Secure gateways in enterprise environments.

CISA responded to Ivanti vulnerabilities by detecting the threat actors exploiting CVEs to implant web shells and harvest credentials. 

Post-compromise threat actors used Ivanti-native tools like freerdp and SSH for lateral movement, which led to full domain compromises. 

Ivanti’s ICT failed to detect the compromise, while the integrity checker and forensic analysis proved unreliable. Cybercriminals could erase traces by highlighting the unreliability of the ICT scans in indicating compromise. 

Independent research validated Ivanti’s ICT insufficiency that allows cyber threat actors to persist even after factory resets and upgrades.

Mitigations

Here below, we have mentioned all the mitigations provided by the cybersecurity researchers:-

  • Make sure to choose VPNs wisely and avoid proprietary protocols or non-standard features.
  • Secure remote access tools.
  • Restrict outbound connections on SSL VPNs for essential services.
  • Use low-privilege accounts for LDAP bind in SSL VPNs with AD/LDAP authentication.
  • Allow SSL VPN access for unprivileged accounts only to reduce credential exposure.
  • Keep OS, software, and firmware updated.
  • Minimize Remote Desktop Protocols and remote desktop service usage.
  • Configure Windows Registry for UAC approval on PsExec for admin tasks to curb lateral movement.
  • Develop a recovery plan with multiple copies of sensitive data in a secure location.
  • Enforce the NIST password policy for all password-based logins.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Subscribe on LinkedIn
Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...