Ivanti Zero-Day Patches Delayed as KrustyLoader Attacks Mount

The RCE/auth bypass bugs in Connect Secure VPNs have gone unpatched for 20 days as state-sponsored groups continue to backdoor Ivanti gear.

UPDATE
9:45 a.m. ET Jan. 31, 2024:
Ivanti released patches
for the two zero-days this morning.
Attackers are using a pair of critical zero-day vulnerabilities in Ivanti VPNs to deploy a Rust-based set of backdoors, which in turn download a backdoor malware dubbed KrustyLoader.
The two bugs were
disclosed earlier in January
(CVE-2024-21887 and CVE-2023-46805), allowing unauthenticated remote code execution (RCE) and authentication bypass, respectively, affecting Ivantis Connect Secure VPN gear. Neither has patches yet.
While both zero days were already under active exploitation in the wild, Chinese state-sponsored advanced persistent threat (APT) actors (UNC5221, aka UTA0178) quickly hopped on the bugs after public disclosure,
mounting mass exploitation attempts worldwide
. Volexitys analysis of the attacks uncovered 12 separate but nearly identical Rust payloads being downloaded to compromised appliances, which in turn download and execute a variant of the Sliver red-teaming tool, which Synacktiv researcher Théo Letailleur named KrustyLoader.

Sliver 11
is an open-source adversary simulation tool that is gaining popularity among threat actors, since it provides a practical command-and-control framework, Letailleur said in his analysis yesterday, which also offers hashes, a Yara rule, and a
script for detection and extraction
of indicators of compromise (IoCs). He noted that the rejiggered Sliver implant acts as a stealthy and easily controlled backdoor.
KrustyLoader — as I dubbed it — performs specific checks in order to run only if conditions are met, he added, noting that it’s also well-obfuscated. The fact that KrustyLoader was developed in Rust brings additional difficulties to obtain a good overview of its behavior.
Meanwhile, the
patches for CVE-2024-21887 and CVE-2023-46805
in Connect Secure VPNs are delayed. Ivanti had promised them on Jan. 22, prompting a CISA alert, but they failed to materialize. In the latest update to its advisory on the bugs, published Jan. 26, the firm noted, The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases ... Patches for supported versions will still be released on a staggered schedule.
Ivanti said it is targeting this week for the fixes, but noted that the timing of patch release is subject to change as we prioritize the security and quality of each release.
As of today, its been 20 days since the vulnerabilities disclosure.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ivanti Zero-Day Patches Delayed as KrustyLoader Attacks Mount