The Shadowserver Foundation has reported active exploitation of a zero-day vulnerability, CVE-2024-21893, in Ivanti products, marking a significant cybersecurity concern. This vulnerability, disclosed by Ivanti on January 31, 2024, has seen a surge in attacks since February 2, 2024, particularly after Rapid7 released a proof-of-concept exploit. Over 170 discrete IP addresses have been involved in these attacks, targeting the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA, allowing unauthorized access to restricted resources.This incident is part of a broader pattern of vulnerabilities in Ivanti VPN appliances, including CVE-2023-46805 and CVE-2024-21887, which have been exploited to execute commands remotely and load malware. Ivanti has released patches for four vulnerabilities, including CVE-2024-21888, and a second mitigation to build resilience against attacks chaining CVE-2024-21893 with CVE-2024-21887.
However, CVE-2024-21893 is not a new vulnerability but an already discovered n-day in the xmltooling library, tracked as CVE-2023-36661 and patched in June 2023. The exploitation of Ivanti zero-days has been linked to the group UTA0178, associated with China, compromising at least 20 organizations using Ivanti Connect Secure VPN appliances.
Source: HackRead
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.