Ivanti Zero-Day Exploits Skyrocket Worldwide; No Patches Yet

Anyone who hasnt mitigated two zero-day security bugs in Ivanti VPNs may already be compromised by a Chinese nation-state actor.

Thousands of Ivanti VPN instances have been compromised across the globe in the last five days thanks to two serious, as yet unpatched zero-day vulnerabilities disclosed last week.
Ivanti Connect Secure (ICS) VPN is a virtual private network (VPN) tool that remotely connects mobile devices with corporate network resources, making it
an attractive target for hackers
looking to gain initial hooks into corporate IT environments.
ICS VPN takeovers have been shooting up worldwide, ever since
the two new bugs
were disclosed on Jan. 10. To make matters worse: There wont be patches available for at least a few more days.
The main fear is that, at a lot of organizations, this gives unfettered access — an immediate way to get into their network, warns Steven Adair, president of Volexity.
Each of the two ICS VPN bugs is powerful on its own, but they prove most effective in tandem.
First, CVE-2023-46805 — a high-severity 8.2 CVSS-scored vulnerability — allows attackers to bypass authentication checks.
Then CVE-2024-21887, rated a critical 9.1 out of 10, allows the unfairly authenticated user to send specially crafted requests and run arbitrary commands on the tricked device.
UTA0178, a group Volexity believes works for the Chinese state, appears to have leveraged the two bugs as zero-days, in attacks dating back to early December. With the access so afforded, it backdoored a small handful of organizations with a Web shell called GiftedVisitor. From there, the attackers performed reconnaissance and data collection, Adair says, though he adds that we have a fairly limited number of cases where we know the attacker really went all-in on the victim.
The threat landscape changed once Ivanti and Volexity broke news of the bug last week. In the days that followed, thousands of new infections spread across the globe, with
a Jan. 15 scan of 30,000 devices
identifying at least 1,700 tainted VPNs.
The majority of these could be attributed to UTA0178, which seems to have used the news as impetus to act before most organizations had time to harden themselves. However, there appear to be attempted exploitations by other threat actors as well.
Victims thus far have run the gamut: from small organizations to Fortune 500 companies, across the military and government, telecommunications and finance, and more. Most infections are concentrated in the United States, but they also span every other continent: Guyana to Germany, Egypt, Thailand, Australia, and so on.
As yet theres no available patch for either ICS VPN vulnerability, and Ivanti is expected to be working on those for a while longer: Jan. 22 for CVE-2023-46805s, and Feb. 19 to fix CVE-2024-21887.
In the meantime, there are two things customers can do.
On the day of the disclosure, Ivanti
released a mitigation
for blocking potential exploitations. Its not a patch — it doesnt solve the underlying vulnerabilities — but it is designed to catch and root out potential attempts to exploit them.
Of course, such a preventative measure doesnt account for the thousands of existing compromises. For those — and, really, any devices that havent been fully examined yet — Ivanti VPN has a built-in Integrity Checker Tool that can detect compromises of the kind carried out by UTA0178.
Then, Adair advises, follow your
incident response playbook
from there. Isolating the device is something you want to do, and then kind of kick off your investigation, which may involve opening a support ticket with Ivanti to learn more. Then get these relevant files decrypted, or involve your incident response providers so they can help investigate and dig in a bit deeper.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ivanti Zero-Day Exploits Skyrocket Worldwide; No Patches Yet