CVE-2024-21887
published 2024-01-12CVE-2024-21887: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated…
PriorityP196critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-01-22
Exploited in the wild
EPSS
100.00%
100.0th percentile
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure_and_policy_secure | — | — |
| ivanti | ics | 22.6R2 – 22.6R2 | — |
| ivanti | ics | 9.1R18 – 9.1R18 | — |
| ivanti | ips | 22.6R1 – 22.6R1 | — |
| ivanti | ips | 9.1R18 – 9.1R18 | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
| ivanti | policy_secure | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →ZIPLINE passive backdoor hijacks the accept() exported function from libsecure.so to intercept incoming network traffic; look for unexpected modifications to this shared library on Ivanti Connect Secure appliances. ↗
- →Thinspool dropper writes the Lightwire web shell onto Ivanti CS for persistence; hunt for unexpected Perl web shells embedded in legitimate files on the appliance. ↗
- →Wirefire is a Python-based web shell supporting unauthenticated arbitrary command execution; detect unexpected Python CGI/web processes spawned from the Ivanti web server. ↗
- →Warpwire is a JavaScript credential harvester that sends stolen credentials to a C2 server at login; monitor outbound HTTP/S traffic from the Ivanti login page for anomalous POST requests to external hosts. ↗
- →Attackers used compromised end-of-life Cyberoam VPN appliances as C2 servers in the same geographic region as targets to evade detection; flag outbound connections from Ivanti appliances to Cyberoam VPN IP ranges. ↗
- →CVE-2024-21887 is chained with CVE-2023-46805 (auth bypass) to achieve unauthenticated RCE; detect exploitation attempts targeting the authentication bypass endpoint followed by command injection in web component requests. ↗
- →UNC5221 deployed a GIFTEDVISITOR webshell variant on over 2,100 Ivanti appliances; scan web-accessible directories on Ivanti Connect Secure for the GIFTEDVISITOR webshell. ↗
- →Attackers deployed XMRig cryptocurrency miners and Rust-based malware payloads on compromised Ivanti appliances; monitor for XMRig process execution or outbound mining pool connections from Ivanti devices. ↗
- ·Ivanti's internal and previous external Integrity Checker Tool (ICT) failed to detect compromise in multiple incident response engagements; do not rely solely on ICT scans to confirm a clean state. ↗
- ·Web shells found on compromised systems showed no file mismatches according to Ivanti's ICT, meaning ICT results cannot be trusted as a definitive indicator of a clean appliance. ↗
- ·Threat actors may gain root-level persistence between factory resets; factory reset alone is not sufficient to guarantee removal of compromise on Ivanti Connect Secure and Policy Secure appliances. ↗
- ·Exploitation of CVE-2024-21887 has been observed since early December 2023, well before public disclosure in January 2024; assume any Ivanti Connect Secure or Policy Secure appliance exposed to the internet during this window may be compromised. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
osv5.5MEDIUM
vulncheck8.3HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
cisa·2024-01-31·CVSS 8.2
CVE-2024-21893 [HIGH] CWE-918 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Affected: Ivanti Connect Secure, Policy Secure, and Neurons
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US ; https://nvd.nist.gov/vuln/d
Ivanti
Ivanti Connect Secure and Policy Secure Command Injection
vendor_ivanti·2024-01-10·CVSS 9.1
CVE-2024-21887 [HIGH] Ivanti Connect Secure and Policy Secure Command Injection
Ivanti Connect Secure and Policy Secure Command Injection
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
CVE IDs: CVE-2024-21887
Affected products: Connect Secure, Policy Secure
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2024-01-22
Known to be used in ransomware camp
CISA
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
cisa·2024-01-10·CVSS 8.2
CVE-2024-21887 [HIGH] CWE-77 Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Vulnerability: Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Affected: Ivanti Connect Secure and Policy Secure
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: Please apply mitigations per vendor instructions. For more information, please see: https://forums.ivanti.com/s/article/KB-CVE-2023-46805
CISA
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
cisa·2024-01-10·CVSS 8.2
CVE-2023-46805 [HIGH] CWE-287 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Vulnerability: Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Affected: Ivanti Connect Secure and Policy Secure
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: Please apply mitigations per vendor instructions. For more information, please see: https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE
OSV
linux-realtime, linux-raspi-realtime vulnerabilities
osv·2025-08-28·CVSS 5.5
CVE-2025-21887 linux-realtime, linux-raspi-realtime vulnerabilities
linux-realtime, linux-raspi-realtime vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Overlay file system;
- Network traffic control;
(CVE-2025-21887, CVE-2024-57996, CVE-2025-38350, CVE-2025-37752)
GHSA
GHSA-87qj-c5f7-6c8q: A command injection vulnerability in web components of Ivanti Connect Secure (9
ghsa_unreviewed·2024-01-12
CVE-2024-21887 [CRITICAL] CWE-77 GHSA-87qj-c5f7-6c8q: A command injection vulnerability in web components of Ivanti Connect Secure (9
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
VulnCheck
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
vulncheck·2024·CVSS 8.2
CVE-2024-21887 [HIGH] CWE-77 Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ww
VulnCheck
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2024·CVSS 8.2
CVE-2024-21893 [HIGH] CWE-918 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.
Affected: Ivanti Connect Secure, Policy Secure, and Neurons
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/; https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-C
VulnCheck
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
vulncheck·2024·CVSS 8.3
CVE-2024-22024 [HIGH] Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wiz.io/blog/ivanti-vulnerabilities-cve-2023-46805-cve-2024-21887-cve-2024-21888-and-cve-2024-21893; https://attackerkb.com/assessments/e3572615-0a93-4e5b-a181-432316d5c6d3; https://twitter.com/collysucker/status/17559
VulnCheck
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
vulncheck·2023·CVSS 8.2
CVE-2023-46805 [HIGH] CWE-287 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.volexity.com/blog/2024/0
Suricata
ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)
suricata·2024-02-02·CVSS 9.1
CVE-2024-21887 [CRITICAL] ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)
ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-ws/"; fast_pattern; content:".ws"; http.request_body; content:"<soap|3a|"; content:"|3a|RetrievalMethod|20|URI=|22|"; distance:0; pcre:"/^[^\x22]+(?:\x3b|%3[Bb])/R"; reference:url,attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis; reference:cve,2024-21887; classtype:attempted-admin; sid:2050700; rev:2; metadata:affected_product Ivanti, attac
Suricata
ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887)
suricata·2024-01-22·CVSS 8.2
CVE-2023-46805 [HIGH] ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887)
ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt M2 (CVE-2023-46805, CVE-2024-21887)"; flow:established,to_server; http.request_line; content:"GET /api/v1/cav/client/status/"; fast_pattern; content:"./"; distance:0; content:"./"; distance:0; reference:url,www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce; reference:cve,2023-46805; reference:cve,2024-21887; classtype:trojan-activity; sid:2050280; rev:2; metadata:affected_product Pulse_Secure, created_at 2024_01_22, cve CVE_
Suricata
ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1
suricata·2024-01-17·CVSS 8.2
CVE-2023-46805 [HIGH] ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1
ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1"; flow:established,to_server; http.request_line; pcre:"/^(GE|POS)T/"; content:"/api/v1/totp/"; distance:0; fast_pattern; content:"./"; distance:0; content:"./"; distance:0; reference:url,attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis; reference:cve,2023-46805; reference:cve,2024-21887; classtype:trojan-activity; sid:2050131; rev:2; metadata:affected_product Pulse_Secure, created_at 2024_01_17, cve CVE_2023_46805_CVE_2024_21887, deployment Perim
Suricata
ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1
suricata·2024-01-16·CVSS 8.2
CVE-2023-46805 [HIGH] ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1
ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M1"; flow:established,to_server; http.request_line; content:"GET /api/v1/totp/user-backup-code/../../license/keys-status/%3b"; reference:url,attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis; reference:cve,2023-46805; reference:cve,2024-21887; classtype:attempted-admin; sid:2050095; rev:2; metadata:affected_product Pulse_Secure, created_at 2024_01_16, cve CVE_2023_46805_CVE_2024_21887, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High,
Suricata
ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2
suricata·2024-01-16·CVSS 8.2
CVE-2023-46805 [HIGH] ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2
ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Pulse Secure Authentication Bypass and Command Injection Attempt (CVE-2023-46805, CVE-2024-21887) M2"; flow:established,to_server; http.request_line; content:"POST /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection"; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|type|22 3a|"; content:"|22 3b|"; within:3; content:"|22|txtGCPProject|22 3a|"; content:"|22|txtGCPSecret|22 3a|"; content:"|22|txtGCPPath|22 3a|"; content:"|22|txtGCPBucket|22 3a|"; reference:url,attackerkb.com/topics/AdUh6by52K/cv
Metasploit
Ivanti Connect Secure Unauthenticated Remote Code Execution
metasploit·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti Connect Secure Unauthenticated Remote Code Execution
Ivanti Connect Secure Unauthenticated Remote Code Execution
This module chains an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.
Metasploit
Ivanti Connect Secure Unauthenticated Remote Code Execution
metasploit·CVSS 9.1
CVE-2024-21893 [CRITICAL] Ivanti Connect Secure Unauthenticated Remote Code Execution
Ivanti Connect Secure Unauthenticated Remote Code Execution
This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
Nuclei
Ivanti SAML - Server Side Request Forgery (SSRF)
nuclei·CVSS 9.1
CVE-2024-21893 [CRITICAL] Ivanti SAML - Server Side Request Forgery (SSRF)
Ivanti SAML - Server Side Request Forgery (SSRF)
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
Template:
id: CVE-2024-21893
info:
name: Ivanti SAML - Server Side Request Forgery (SSRF)
author: DhiyaneshDk
severity: high
description: |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
impact: |
Unauthenticated attackers can perform SSRF attacks to access restricted internal resources and bypa
Nuclei
Ivanti ICS - Authentication Bypass
nuclei·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti ICS - Authentication Bypass
Ivanti ICS - Authentication Bypass
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
Template:
id: CVE-2023-46805
info:
name: Ivanti ICS - Authentication Bypass
author: DhiyaneshDK,daffainfo,geeknik
severity: high
description: An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
impact: |
Unauthenticated attackers can bypass authentication controls and access restricted administrative resources, potentially exposing sensitive configuration data.
remediation: |
Upgrade Ivanti Connect Secure and Policy Secur
Nuclei
Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection
nuclei·CVSS 8.2
CVE-2024-21887 [HIGH] Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection
Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Template:
id: CVE-2024-21887
info:
name: Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection
author: pdresearch,parthmalhotra,iamnoooob
severity: critical
description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
im
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Wiz
RCE meaning: Remote code execution attacks explained | Wiz
blogs_wiz·2026-02-18
RCE meaning: Remote code execution attacks explained | Wiz
## What is a remote code execution (RCE) attack?
A remote code execution (RCE) attack is a cyberattack where an attacker runs malicious code on a target system from a remote location. This means someone who has no physical access to your servers can still execute commands as if they were sitting at the keyboard.
RCE ranks among the most severe vulnerability classes because attackers often need no authentication or user interaction to exploit it. Once they gain code execution, they can steal sensitive data, install persistent backdoors, escalate privileges, or pivot to other systems on your network.
The consequences extend beyond the initial compromise. A single RCE vulnerability in an internet-facing application can give attackers a foothold to move laterally through your environment, e
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
blogs_tenable·2025-09-05
Cybersecurity Snapshot: Expert Advice for Securing Critical Infrastructure’s OT and Industrial Control Systems, IoT Devices and Network Infrastructure
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Chinese State-Sponsored Actors Compromising Global Networks
blogs_tenable·2025-08-29
Chinese State-Sponsored Actors Compromising Global Networks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
blogs_tenable·2025-08-29
Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Global Salt Typhoon hacking campaigns linked to Chinese tech firms
blogs_bleepingcomputer·2025-08-27·CVSS 9.8
[CRITICAL] Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Global Salt Typhoon hacking campaigns linked to Chinese tech firms
## Lawrence Abrams
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.
According to the joint advisories [ NSA , NCSC ], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China's Ministry of State Security and the People's Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.
Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
blogs_sentinelone·2025-05-03
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to
Sentinelone
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
blogs_sentinelone·2025-05-03
DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to
Tenable
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
blogs_tenable·2025-04-23
Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti patches Connect Secure zero-day exploited since mid-March
blogs_bleepingcomputer·2025-04-03·CVSS 9.0
CVE-2025-22457 [CRITICAL] Ivanti patches Connect Secure zero-day exploited since mid-March
## Ivanti patches Connect Secure zero-day exploited since mid-March
## Sergiu Gatlan
Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
Tracked as CVE-2025-22457 , this critical security flaw is due to a stack-based buffer overflow weakness. It impacts Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways.
According to Ivanti's advisory , remote threat actors can exploit it in high-complexity attacks that don't require authentication or user interaction. The company patched the vulnerability on February 11, 2025, with the release of Iva
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Tenable
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
blogs_tenable·2025-01-23
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
blogs_tenable·2025-01-08·CVSS 9.0
[CRITICAL] CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT & Targeted Attacks
## Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee Nov 25, 2024 Read time: ( words)
Save to Folio
## Summary
Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and governm
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT y ataques dirigidos
## Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee Nov 25, 2024 Read time: ( words)
Save to Folio
## Summary
Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and govern
Bleepingcomputer
Salt Typhoon hackers backdoor telcos with new GhostSpider malware
blogs_bleepingcomputer·2024-11-25
Salt Typhoon hackers backdoor telcos with new GhostSpider malware
## Salt Typhoon hackers backdoor telcos with new GhostSpider malware
## Bill Toulas
The Chinese state-sponsored hacking group Salt Typhoon has been observed utilizing a new "GhostSpider" backdoor in attacks against telecommunication service providers.
The backdoor was discovered by Trend Micro, which has been monitoring Salt Typhoon's attacks against critical infrastructure and government organizations worldwide.
Along with GhostSpider, Trend Micro discovered that the threat group also uses a previously documented Linux backdoor named 'Masol RAT,' a rootkit named 'Demodex,' and a modular backdoor shared among Chinese APT groups named 'SnappyBee.'
## Salt Typhoon's global campaigns
Salt Typhoon (aka 'Earth Estries', 'GhostEmperor', or 'UNC2286') is a sophisticated hacking group that h
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT & Targeted Attacks
## Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee 2024/11/25 Read time: ( words)
Save to Folio
## Summary
Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and governmen
Trendmicro
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
blogs_trendmicro·2024-11-25
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
APT & Targeted Attacks
# Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
Since 2023, APT group Earth Estries has aggressively targeted key industries globally with sophisticated techniques and new backdoors, like GHOSTSPIDER and MASOL RAT, for prolonged espionage operations.
By: Leon M Chang, Theo Chen, Lenart Bermejo, Ted Lee
2024/11/25
Read time: ( words)
Save to Folio
#### Summary
- Earth Estries, a Chinese APT group, has primarily targeted critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa since 2023.
- The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and gove
Bleepingcomputer
Cisco bug lets hackers run commands as root on UWRB access points
blogs_bleepingcomputer·2024-11-06·CVSS 10.0
CVE-2024-20418 [CRITICAL] Cisco bug lets hackers run commands as root on UWRB access points
## Cisco bug lets hackers run commands as root on UWRB access points
## Sergiu Gatlan
Cisco has fixed a maximum severity vulnerability that allows attackers to run commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) access points that provide connectivity for industrial wireless automation.
Tracked as CVE-2024-20418 , this security flaw was found in Cisco's Unified Industrial Wireless Software's web-based management interface. Unauthenticated threat actors can exploit it in low-complexity command injection attacks that don't require user interaction.
"This vulnerability is due to improper validation of input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management int
Bleepingcomputer
Chinese botnet infects 260,000 SOHO routers, IP cameras with malware
blogs_bleepingcomputer·2024-09-18
Chinese botnet infects 260,000 SOHO routers, IP cameras with malware
## Chinese botnet infects 260,000 SOHO routers, IP cameras with malware
## Ionut Ilascu
The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called “Raptor Train” that infected over 260,000 networking devices to target critical infrastructure in the US and in other countries.
The botnet has been used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the US and Taiwan.
Over four years, Raptor Train has grown into a complex, multi-tiered network with an enterprise-grade control system for handling tens of servers and a large number of infected SOHO and consumer devices: routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers.
## Multi-ti
Bleepingcomputer
Ivanti fixes maximum severity RCE bug in Endpoint Management software
blogs_bleepingcomputer·2024-09-10·CVSS 8.8
CVE-2024-29847 [HIGH] Ivanti fixes maximum severity RCE bug in Endpoint Management software
## Ivanti fixes maximum severity RCE bug in Endpoint Management software
## Sergiu Gatlan
Ivanti has fixed a maximum severity vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers gain remote code execution on the core server.
Ivanti EPM helps admins manage client devices that run various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.
The security flaw (CVE-2024-29847) is caused by a deserialization of untrusted data weakness in the agent portal that has been addressed in Ivanti EPM 2024 hot patches and Ivanti EPM 2022 Service Update 6 (SU6).
"Successful exploitation could lead to unauthorized access to the EPM core server," the company said in an advisory published today.
For the moment, Ivanti added that they're "
Tenable
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
blogs_tenable·2024-08-28
AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US Organizations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
blogs_tenable·2024-08-14·CVSS 9.8
[CRITICAL] CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti warns of critical vTM auth bypass with public exploit
blogs_bleepingcomputer·2024-08-13·CVSS 9.8
CVE-2024-7593 [CRITICAL] Ivanti warns of critical vTM auth bypass with public exploit
## Ivanti warns of critical vTM auth bypass with public exploit
## Sergiu Gatlan
Today, Ivanti urged customers to patch a critical authentication bypass vulnerability impacting Virtual Traffic Manager (vTM) appliances that can let attackers create rogue administrator accounts.
Ivanti vTM is a software-based application delivery controller (ADC) that provides app-centric traffic management and load balancing for hosting business-critical services.
Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels.
"Ivanti released updates for Ivanti Virtual Traffic Manager (vTM) which addressed a critical vulnerability. S
Qualys
Cybersecurity Threat Landscape 2024 Midyear Review
blogs_qualys·2024-08-06
Cybersecurity Threat Landscape 2024 Midyear Review
## Table of Contents
Key Takeaways from the Threat Landscape Report 2024
Vulnerability and Threat Analysis in the Cybersecurity Landscape 2024
Cyber Threat Landscape 2024 A Detailed Review
Key Statistics and Their Impact on the 2024 Cybersecurity Landscape
Mid-2024s Most Exploited Vulnerabilities in the Cybersecurity Landscape
Conclusion
As we navigate the complexities of 2024, it’s crucial to pause and reflect on the evolving threat landscape that surrounds us. This moment offers a unique opportunity to scrutinize our triumphs and missteps, understand the events that have decisively shaped our environment, and consider those that have subtly influenced it. By extracting key lessons from our recent experiences, we can fortify our strategies and prepare more effectively for the emerg
Tenable
Cybersecurity Snapshot: CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills
blogs_tenable·2024-07-12
Cybersecurity Snapshot: CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA urges devs to weed out OS command injection vulnerabilities
blogs_bleepingcomputer·2024-07-10·CVSS 6.0
CVE-2024-20399 [MEDIUM] CISA urges devs to weed out OS command injection vulnerabilities
## CISA urges devs to weed out OS command injection vulnerabilities
## Sergiu Gatlan
CISA and the FBI urged software companies on Wednesday to review their products and eliminate path OS command injection vulnerabilities before shipping.
The advisory was released in response to recent attacks that exploited multiple OS command injection security flaws ( CVE-2024-20399 , CVE-2024-3400 , and CVE-2024-21887 ) to compromise Cisco , Palo Alto , and Ivanti network edge devices.
Velvet Ant, the Chinese state-sponsored threat actor that coordinated these attacks, deployed custom malware to gain persistence on hacked devices as part of a cyber espionage campaign.
"OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing
Fortinet
The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
blogs_fortinet·2024-06-25·CVSS 9.8
[CRITICAL] The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Growing Threat of Malware Concealed Behind Cloud Services
UNSTABLE Botnet
Condi DDoS Botnet
UDP Flooder and Process Checker
Skibidi
Conclusion
Fortinet Protections
IOCs
C2
URLs
Files
By Cara Lin and Vincent Li | June 25, 2024
Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hostin
Bleepingcomputer
MITRE says state hackers breached its network via Ivanti zero-days
blogs_bleepingcomputer·2024-04-19·CVSS 8.2
[HIGH] MITRE says state hackers breached its network via Ivanti zero-days
## MITRE says state hackers breached its network via Ivanti zero-days
## Sergiu Gatlan
The MITRE Corporation says that a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days.
The incident was discovered after suspicious activity was detected on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network used for research and development.
MITRE has since notified affected parties of the breach, contacted relevant authorities, and is now working on restoring "operational alternatives."
Evidence collected during the investigation so far shows that this breach did not affect the organization's core enterprise network or its partners' systems.
"No organization is immune from this
Unit42
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
blogs_unit42·2024-04-08
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Threat Research Center
Threat Research
Malware
## It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
Beliz Kaleli
Fang Liu
Peng Peng
Alex Starov
Joey Allen
Stefan Springer
Published: April 8, 2024
Malware
Threat Research
Ivanti
Mirai
Network scanning
## Executive Summary
Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.
Threat actors have been using scanning methods to pinpoint vulnerabilities in networks or systems for a very long time. Some scanning attacks originate from benign networks likely driven by malware on infected machines. B
Unit42
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
blogs_unit42·2024-04-08
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
## Executive Summary
Our telemetry indicates a growing number of threat actors are turning to malware-initiated scanning attacks. This article reviews how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans.
Threat actors have been using scanning methods to pinpoint vulnerabilities in networks or systems for a very long time. Some scanning attacks originate from benign networks likely driven by malware on infected machines. By launching scanning attacks from compromised hosts, attackers can accomplish the following:
- Covering their traces
- Bypassing geofencing
- Expanding botnets
- Leveraging the resources of these compromised devices to generate a higher volume of scanning requests compared to what they cou
Bleepingcomputer
New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
blogs_bleepingcomputer·2024-04-05·CVSS 8.2
CVE-2024-21894 [HIGH] New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## Bill Toulas
Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) flaw the vendor addressed earlier this week.
The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of service (DoS) or achieve RCE by sending specially crafted requests.
Upon disclosure, on April 3, 2024, the internet search engine Shodan showed 29,000 internet-exposed instances, while threat monitoring service Shadowserver reported seeing roughly 18,000.
At the time, Ivanti stated that it had seen no signs of active exploita
Bleepingcomputer
Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
blogs_bleepingcomputer·2024-04-03·CVSS 8.2
CVE-2024-21894 [HIGH] Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Sergiu Gatlan
Update 4/5/25: ShadowServer says there are 16,000 exposed devices likely vulnerable to this flaw .
IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways.
Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction.
The vulnerability is caused by a heap overflow weakness in the IPSec component of all supported gateway versions.
While Ivanti said the remote code execution risks are limited to "certain conditions," t
Bleepingcomputer
Ivanti fixes critical Standalone Sentry bug reported by NATO
blogs_bleepingcomputer·2024-03-20·CVSS 8.8
CVE-2023-41724 [HIGH] Ivanti fixes critical Standalone Sentry bug reported by NATO
## Ivanti fixes critical Standalone Sentry bug reported by NATO
## Sergiu Gatlan
Ivanti warned customers to immediately patch a critical severity Standalone Sentry vulnerability reported by NATO Cyber Security Centre researchers.
Standalone Sentry is deployed as an organization's Kerberos Key Distribution Center Proxy (KKDCP) server or as a gatekeeper for ActiveSync-enabled Exchange and Sharepoint servers.
Tracked as CVE-2023-41724 , the security flaw impacts all supported versions and it allows unauthenticated bad actors within the same physical or logical network to execute arbitrary commands in low-complexity attacks.
Ivanti also fixed a second critical vulnerability ( CVE-2023-46808 ) in its Neurons for ITSM IT service management solution that enables remote threat actors with acc
Checkpoint
11th March – Threat Intelligence Report
blogs_checkpoint·2024-03-11·CVSS 8.2
CVE-2023-46805 [HIGH] 11th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cybersecurity and Infrastructure Security Agency (CISA) has taken offline two systems following a breach that occurred as a result of the recent vulnerabilities exploitation in Ivanti products. The affected systems potentially include the Infrastructure Protection Gateway and the Chemical Security Assessment Tool, holding sen
Bleepingcomputer
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
blogs_bleepingcomputer·2024-03-09·CVSS 9.8
[CRITICAL] Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Bill Toulas
A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.
1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security updates.
Though exploits are usually not made available immediately upon a flaw's disclosure, some vulnerabilities are trivial to figure out how to leverage. Additionally, reverse-engineering the patch may reveal the underlying problem and how to exploit it.
Check Point analysts who identified Magnet Goblin report that these threat act
Checkpoint
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
blogs_checkpoint·2024-03-08·CVSS 4.9
CVE-2024-21887 [MEDIUM] Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
## Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vuln
Checkpoint
4th March – Threat Intelligence Report
blogs_checkpoint·2024-03-04
CVE-2023-46805 4th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
UnitedHealth Group confirmed its subsidiary was attacked by the ALPHV ransomware gang. 6 terabytes of data were stolen in the attack, and Change Healthcare, a crucial intermediary between pharmacies and insurance companies, was forced to disconnect its systems on February 21. The disruption impacted U.S. military clinics and ho
Bleepingcomputer
CISA cautions against using hacked Ivanti VPN gateways even after factory resets
blogs_bleepingcomputer·2024-02-29·CVSS 8.2
[HIGH] CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure and Policy Secure gateways compromised using CVE-2023-46805 , CVE-2024-21887 , CVE-2024-22024 , and CVE-2024-21893 exploits.
The four vulnerabilities' severity ratings range from high to critical, and they can be exploited for authentication bypass, command injection, server-side-request forgery, and
Bleepingcomputer
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
blogs_bleepingcomputer·2024-02-15·CVSS 8.2
CVE-2024-22024 [HIGH] Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Bill Toulas
Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues first disclosed more than a month ago and which the vendor gradually patched.
The flaws are CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888. Their severity ranges from high to critical and they concern authentication bypass, server-side-request forgery, arbitrary command execution, and command injection problems.
Some of these vulnerabilities have been reported as exploited by nation-state actors before they were being leveraged at a larger scale by a broad range of threat actors.
Starting with CVE-2024-22024, the issue is an XXE vulnerability in the SAML compo
Bleepingcomputer
Ivanti: Patch new Connect Secure auth bypass bug immediately
blogs_bleepingcomputer·2024-02-08·CVSS 8.2
CVE-2024-22024 [HIGH] Ivanti: Patch new Connect Secure auth bypass bug immediately
## Ivanti: Patch new Connect Secure auth bypass bug immediately
## Sergiu Gatlan
Today, Ivanti warned of a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to secure their appliances immediately.
The flaw (CVE-2024-22024) is due to an XXE (XML eXternal Entities) weakness in the gateways' SAML component that lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without requiring user interaction or authentication.
"We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected," Ivanti said .
"For users of other supported versions, the mitigation released on 31 January su
Wiz
Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
blogs_wiz·2024-02-06·CVSS 8.2
CVE-2023-46805 [HIGH] Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
February 9, 2024 update
On February 8, 2024, Ivanti released an advisory for a new authentication bypass high severity vulnerability, CVE-2024-22024 impacting Ivanti Connect Secure (`9.x, 22.x`), Ivanti Policy Secure (`9.x, 22.x`) and ZTA gateways. The flaw in the SAML component of the mentioned products allows an attacker to access certain restricted resources without authentication. On February 9, 2024, the vulnerability has been reported to be exploited in-the-wild.
Customers are advised to patch urgently to the fixed versions: Connect Secure versions `9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2`), Ivanti Policy Secure versions `9.1R17.3, 9.1R18.4, 22.5R1.2` and ZTA gateways versions` 22.5R1.6, 22.6R1.5, 22.6R1.7`.
Wiz customers can use the pre-built query and
Wiz
Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
blogs_wiz·2024-02-06·CVSS 8.2
CVE-2023-46805 [HIGH] Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
9.x, 22.x
9.x, 22.x
9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2
9.1R17.3, 9.1R18.4, 22.5R1.2
22.5R1.6, 22.6R1.5, 22.6R1.7
* ***
On January 10, 2024, Ivanti released an advisory along with mitigation strategies (but no patches) for two vulnerabilities affecting Connect Secure VPN devices: CVE-2023-46805 and CVE-2024-21887. When exploited in tandem, they enable unauthenticated remote code execution, and Ivanti urged immediate customer response. A few days later, researchers announced that they had identified active exploitation of these vulnerabilities as 0-days, dating back to December 2023, and provided details of the related threat activity .
A few weeks later, on January 31, 2024, Ivanti disclosed two more high-severity vulnerabilities: CVE-2024-21888, a pr
Bleepingcomputer
Newest Ivanti SSRF zero-day now under mass exploitation
blogs_bleepingcomputer·2024-02-05·CVSS 8.2
CVE-2024-21893 [HIGH] Newest Ivanti SSRF zero-day now under mass exploitation
## Newest Ivanti SSRF zero-day now under mass exploitation
## Bill Toulas
An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers.
Ivanti first warned about the flaw in the gateway's SAML components on January 31, 2024, giving it a zero-day status for limited active exploitation, impacting a small number of customers.
Exploitation of CVE-2024-21893 allowed attackers to bypass authentication and access restricted resources on vulnerable devices (versions 9.x and 22.x).
Threat monitoring service Shadowserver is now seeing multiple attackers leveraging the SSRF bug, with 170 distinct IP addresses attempting to exploit the flaw.
The exploitation volume of this p
Tenable
Cybersecurity Snapshot: Attackers Hack Routers To Hit Critical Infrastructure, as CISA Calls for More Secure Router Design
blogs_tenable·2024-02-02
Cybersecurity Snapshot: Attackers Hack Routers To Hit Critical Infrastructure, as CISA Calls for More Secure Router Design
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
Ivanti VPN Vulnerability | ThreatLabz
blogs_zscaler·2024-02-02·CVSS 8.2
[HIGH] Ivanti VPN Vulnerability | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
blogs_bleepingcomputer·2024-02-01·CVSS 8.2
[HIGH] CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
## CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday
## Sergiu Gatlan
CISA has ordered U.S. federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances vulnerable to multiple actively exploited bugs before Saturday.
This required action is part of a supplemental direction to this year's first emergency directive (ED 24-01) issued last week that mandates Federal Civilian Executive Branch (FCEB) agencies to urgently secure all ICS and IPS devices on their network against two zero-day flaws in response to extensive exploitation in the wild by multiple threat actors.
Ivanti appliances are currently targeted in attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection security flaws since Decem
Wiz
Crying Out Cloud - February Newsletter | Wiz
blogs_wiz·2024-02-01·CVSS 9.8
CVE-2023-33246 [CRITICAL] Crying Out Cloud - February Newsletter | Wiz
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🐞 High Profile Vulnerabilities
Apache RocketMQ RCE vulnerability exploited in-the-wild
In August 2023 researchers identified attackers exploiting CVE-2023-33246, a critical vulnerability in Apache RocketMQ, to install the DreamBus bot, a malware strain last reported about publicly in 2021. On January 5, 2024 Apache stated that the patch for CVE-2023-33246 was in fact insufficient, and an additional CVE was assigned to the bypass - CVE-2023-37582. The latter vulnerability is also being exploited in the wild, so it is recommended to patc
Tenable
CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-31·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti warns of new Connect Secure zero-day exploited in attacks
blogs_bleepingcomputer·2024-01-31·CVSS 8.2
CVE-2024-21893 [HIGH] Ivanti warns of new Connect Secure zero-day exploited in attacks
## Ivanti warns of new Connect Secure zero-day exploited in attacks
## Sergiu Gatlan
Today, Ivanti warned of two more vulnerabilities impacting Connect Secure, Policy Secure, and ZTA gateways, one of them a zero-day bug already under active exploitation.
The zero-day flaw (CVE-2024-21893) is a server-side request forgery vulnerability in the gateways' SAML component that enables attackers to bypass authentication and access restricted resources on vulnerable devices.
A second flaw (CVE-2024-21888) in the gateways' web component allows threat actors to escalate privileges to those of an administrator.
"As part of our ongoing investigation into the vulnerabilities reported on 10 January in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways, we have discovered new vulnerabiliti
Tenable
Cybersecurity Snapshot: New Guide Details How To Use AI Securely, as CERT Honcho Tells CISOs To Sharpen AI Security Skills Pronto
blogs_tenable·2024-01-26
Cybersecurity Snapshot: New Guide Details How To Use AI Securely, as CERT Honcho Tells CISOs To Sharpen AI Security Skills Pronto
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Schutz vor den Ivanti-Schwachstellen
blogs_trendmicro·2024-01-25·CVSS 8.2
[HIGH] Schutz vor den Ivanti-Schwachstellen
Cyberbedrohungen
## Schutz vor den Ivanti-Schwachstellen
Derzeit machen die Meldungen über die Ivanti-Schwachstellen die Runde. Der Schutz davor hat natürlich Priorität, doch sollten sich Unternehmen prinzipiell Gedanken über den Umgang mit VPNs und Netzsicherheit machen – ein paar Vorschläge.
By: Chris LaFleur Jan 25, 2024 Read time: ( words)
Save to Folio
Der Ivanti Zero-Day-Schwachstelle (mittlerweile sind bereits drei bekannt) wurde lange nicht die Aufmerksamkeit geschenkt, derer sie bedarf, hat sie doch substanzielle reale Auswirkungen. Mittlerweile hat die CISA die Sicherheitslücke im Ivanti Endpoint Manager Mobile dem Known Exploited Vulnerabilities (KEV) Catalog hinzugefügt. Aktuell gibt es auch Meldungen über massive Angriffe auf die kritischen Lücken, wobei Systeme in Deutsc
Sentinelone
January 2024 Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers & Ransomware Updates
blogs_sentinelone·2024-01-25·CVSS 9.8
[CRITICAL] January 2024 Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers & Ransomware Updates
Over the last month a number of interesting leaks have occurred within the ransomware-market ecosystem pertaining to the likes of BlackCat and Zeppelin. We saw some familiar names dominate the ransomware landscape in terms of volume and visibility, among them Play, BlackCat/AlphV, LockBit, Phobos (8base) and Akira.
In this month’s update we also discuss some of the vulnerabilities being weaponized by these actors over the last month below, with high profile enterprises Microsoft SQL and SharePoint among the targets.
Crypto drainers, DaaS, and associated scams came to the forefront over the last few weeks with associated hacks being observed across multiple high-profile social media accounts. We will touch base on these recent scams and discuss how these attacks are occurring.
We will ro
Sentinelone
January 2024 Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers & Ransomware Updates
blogs_sentinelone·2024-01-25·CVSS 9.8
[CRITICAL] January 2024 Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers & Ransomware Updates
Over the last month a number of interesting leaks have occurred within the ransomware-market ecosystem pertaining to the likes of BlackCat and Zeppelin. We saw some familiar names dominate the ransomware landscape in terms of volume and visibility, among them Play , BlackCat/AlphV, LockBit , Phobos ( 8base ) and Akira .
In this month’s update we also discuss some of the vulnerabilities being weaponized by these actors over the last month below, with high profile enterprises Microsoft SQL and SharePoint among the targets.
Crypto drainers, DaaS , and associated scams came to the forefront over the last few weeks with associated hacks being observed across multiple high-profile social media accounts. We will touch base on these recent scams and discuss how these attacks are occurring.
We w
Bleepingcomputer
Ivanti: VPN appliances vulnerable if pushing configs after mitigation
blogs_bleepingcomputer·2024-01-22·CVSS 8.2
[HIGH] Ivanti: VPN appliances vulnerable if pushing configs after mitigation
## Ivanti: VPN appliances vulnerable if pushing configs after mitigation
## Sergiu Gatlan
Ivanti warned admins to stop pushing new device configurations to appliances after applying mitigations because this will leave them vulnerable to ongoing attacks exploiting two zero-day vulnerabilities.
While the company didn't provide additional details, it said that this is caused by a known race condition when pushing configurations that causes a web service to stop and the applied mitigation to stop working.
"Customers should stop pushing configurations to appliances with the XML in place, and not resume pushing configurations until the appliance is patched," Ivanti said in a new update published on Saturday.
"When the configuration is pushed to the appliance, it stops some key web services
Bleepingcomputer
CISA emergency directive: Mitigate Ivanti zero-days immediately
blogs_bleepingcomputer·2024-01-19·CVSS 8.2
CVE-2023-4680 [HIGH] CISA emergency directive: Mitigate Ivanti zero-days immediately
## CISA emergency directive: Mitigate Ivanti zero-days immediately
## Sergiu Gatlan
CISA issued this year's first emergency directive ordering Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate two Ivanti Connect Secure and Ivanti Policy Secure zero-day flaws in response to widespread and active exploitation by multiple threat actors.
This is an expected development, given that vulnerable Ivanti appliances are now targeted in extensive attacks chaining the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities since December , and the vendor has yet to release security patches.
When chained, the two Ivanti zero-days allow attackers to move laterally within a target's network, exfiltrate data, and establish persistent system
Trendmicro
Ivanti Zero-Day: Protect Your Network from This Threat
blogs_trendmicro·2024-01-18·CVSS 8.2
[HIGH] Ivanti Zero-Day: Protect Your Network from This Threat
Cyber Threats
## Protecting Your Network Security from Ivanti Zero-Day Threat
The overlooked vulnerability with real impacts
By: Chris LaFleur 2024/01/18 Read time: ( words)
Save to Folio
The Ivanti Zero-Day vulnerability may not be getting the attention it deserves today, yet it carries substantial real-world impacts. A critical issue with this vulnerability is that the primary mitigation strategy is currently to apply patches unless you have IPS technology protecting your VPN server. As of Jan 18 th is has been know that the best course of action is to take an imaged backup of your Ivanti Gateway and rebuild fully to the latest build, also the latest information is showing the original Threat Actors in the exploit have expanded as others are likely abusing the public POC that was re
Trendmicro
Ivanti Zero-Day: Protect Your Network from This Threat
blogs_trendmicro·2024-01-18·CVSS 8.2
[HIGH] Ivanti Zero-Day: Protect Your Network from This Threat
Ciberamenazas
## Protecting Your Network Security from Ivanti Zero-Day Threat
The overlooked vulnerability with real impacts
By: Chris LaFleur Jan 18, 2024 Read time: ( words)
Save to Folio
The Ivanti Zero-Day vulnerability may not be getting the attention it deserves today, yet it carries substantial real-world impacts. A critical issue with this vulnerability is that the primary mitigation strategy is currently to apply patches unless you have IPS technology protecting your VPN server. As of Jan 18 th is has been know that the best course of action is to take an imaged backup of your Ivanti Gateway and rebuild fully to the latest build, also the latest information is showing the original Threat Actors in the exploit have expanded as others are likely abusing the public POC that was
Trendmicro
Ivanti Zero-Day: Protect Your Network from This Threat
blogs_trendmicro·2024-01-18·CVSS 8.2
[HIGH] Ivanti Zero-Day: Protect Your Network from This Threat
Cyber Threats
# Protecting Your Network Security from Ivanti Zero-Day Threat
The overlooked vulnerability with real impacts
By: Chris LaFleur
2024/01/18
Read time: ( words)
Save to Folio
The Ivanti Zero-Day vulnerability may not be getting the attention it deserves today, yet it carries substantial real-world impacts. A critical issue with this vulnerability is that the primary mitigation strategy is currently to apply patches unless you have IPS technology protecting your VPN server. As of Jan 18th is has been know that the best course of action is to take an imaged backup of your Ivanti Gateway and rebuild fully to the latest build, also the latest information is showing the original Threat Actors in the exploit have expanded as others are likely abusing the public POC that was rel
Volexity
Ivanti Connect Secure VPN Exploitation: New Observations
blogs_volexity·2024-01-18·CVSS 8.2
CVE-2024-21887 [HIGH] Ivanti Connect Secure VPN Exploitation: New Observations
Threat Intelligence
## Ivanti Connect Secure VPN Exploitation: New Observations
January 18, 2024
Matthew Meltzer, Sean Koessel, and Steven Adair
On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805 . In that blog post, Volexity detailed broader scanning and exploitation by threat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2024, proof-of-concept code for the exploit was made public. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning the same day.
Additionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few no
Talos
What to do with that fancy new internet-connected device you got as a holiday gift
blogs_talos·2024-01-18
What to do with that fancy new internet-connected device you got as a holiday gift
Welcome to 2024!
The Threat Source newsletter is back after our winter break.
When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck.
This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network.
Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts
Bleepingcomputer
CISA: Critical Ivanti auth bypass bug now actively exploited
blogs_bleepingcomputer·2024-01-18·CVSS 9.8
CVE-2023-35082 [CRITICAL] CISA: Critical Ivanti auth bypass bug now actively exploited
## CISA: Critical Ivanti auth bypass bug now actively exploited
## Sergiu Gatlan
CISA warns that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) and MobileIron Core device management software (patched in August 2023 ) is now under active exploitation.
Tracked as CVE-2023-35082 , the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.
Successful exploitation provides attackers access to personally identifiable information (PII) of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.
"Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply t
Trendmicro
Ivanti Zero-Day: Protect Your Network from This Threat
blogs_trendmicro·2024-01-18·CVSS 8.2
[HIGH] Ivanti Zero-Day: Protect Your Network from This Threat
Cyber Threats
## Protecting Your Network Security from Ivanti Zero-Day Threat
The overlooked vulnerability with real impacts
By: Chris LaFleur Jan 18, 2024 Read time: ( words)
Save to Folio
The Ivanti Zero-Day vulnerability may not be getting the attention it deserves today, yet it carries substantial real-world impacts. A critical issue with this vulnerability is that the primary mitigation strategy is currently to apply patches unless you have IPS technology protecting your VPN server. As of Jan 18 th is has been know that the best course of action is to take an imaged backup of your Ivanti Gateway and rebuild fully to the latest build, also the latest information is showing the original Threat Actors in the exploit have expanded as others are likely abusing the public POC that was
Volexity
Ivanti Connect Secure VPN Exploitation: New Observations
blogs_volexity·2024-01-18·CVSS 8.2
CVE-2024-21887 [HIGH] Ivanti Connect Secure VPN Exploitation: New Observations
Threat Intelligence
# Ivanti Connect Secure VPN Exploitation: New Observations
January 18, 2024
Matthew Meltzer, Sean Koessel, and Steven Adair
On January 15, 2024, Volexity detailed widespread exploitation of Ivanti Connect Secure VPN vulnerabilities CVE-2024-21887 and CVE-2023-46805. In that blog post, Volexity detailed broader scanning and exploitation by threat actors using still non-public exploits to compromise numerous devices. The following day, January 16, 2024, proof-of-concept code for the exploit was made public. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning the same day.
Additionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few nota
Talos
What to do with that fancy new internet-connected device you got as a holiday gift
blogs_talos·2024-01-18
What to do with that fancy new internet-connected device you got as a holiday gift
## What to do with that fancy new internet-connected device you got as a holiday gift
Welcome to 2024!
The Threat Source newsletter is back after our winter break.
When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck.
This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network.
Many readers may have even gotten a new I
Trendmicro
Ivanti Zero-Day: Protect Your Network from This Threat
blogs_trendmicro·2024-01-18·CVSS 8.2
[HIGH] Ivanti Zero-Day: Protect Your Network from This Threat
Cyber Threats
# Protecting Your Network Security from Ivanti Zero-Day Threat
The overlooked vulnerability with real impacts
By: Chris LaFleur
Jan 18, 2024
Read time: ( words)
Save to Folio
The Ivanti Zero-Day vulnerability may not be getting the attention it deserves today, yet it carries substantial real-world impacts. A critical issue with this vulnerability is that the primary mitigation strategy is currently to apply patches unless you have IPS technology protecting your VPN server. As of Jan 18th is has been know that the best course of action is to take an imaged backup of your Ivanti Gateway and rebuild fully to the latest build, also the latest information is showing the original Threat Actors in the exploit have expanded as others are likely abusing the public POC that was r
Trendmicro
Ivanti Zero-Day: Protect Your Network from This Threat
blogs_trendmicro·2024-01-18·CVSS 8.2
[HIGH] Ivanti Zero-Day: Protect Your Network from This Threat
Minacce cyber
## Protecting Your Network Security from Ivanti Zero-Day Threat
The overlooked vulnerability with real impacts
By: Chris LaFleur Jan 18, 2024 Read time: ( words)
Save to Folio
The Ivanti Zero-Day vulnerability may not be getting the attention it deserves today, yet it carries substantial real-world impacts. A critical issue with this vulnerability is that the primary mitigation strategy is currently to apply patches unless you have IPS technology protecting your VPN server. As of Jan 18 th is has been know that the best course of action is to take an imaged backup of your Ivanti Gateway and rebuild fully to the latest build, also the latest information is showing the original Threat Actors in the exploit have expanded as others are likely abusing the public POC that was
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.2
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42
Published: January 16, 2024
High Profile Threats
Vulnerabilities
CVE-2023-46805
CVE-2024-21887
CVE-2024-21888
CVE-2024-21893
CVE-2024-22024
Ivanti
VPNs
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integr
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.3
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tools (ICT) which results in a failure to detect a compromise. They also state that cyber threat actors may be able to maintain root-level persistence despite issuing factory resets.
This CSA also includes guidance on incident response steps. They recommend defenders reset all credentials tha
Volexity
Ivanti Connect Secure VPN Exploitation Goes Global
blogs_volexity·2024-01-15·CVSS 8.2
[HIGH] Ivanti Connect Secure VPN Exploitation Goes Global
Threat Intelligence
# Ivanti Connect Secure VPN Exploitation Goes Global
January 15, 2024
Cem Gurkok, Paul Rascagneres, Sean Koessel, Steven Adair, and Tom Lancaster
Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, Ivanti also released an updated version of the external Integrity Checker Tool that can be fu
Bleepingcomputer
Ivanti Connect Secure zero-days now under mass exploitation
blogs_bleepingcomputer·2024-01-15·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti Connect Secure zero-days now under mass exploitation
## Ivanti Connect Secure zero-days now under mass exploitation
## Sergiu Gatlan
Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) appliances are now under mass exploitation.
As discovered by threat intelligence company Volexity, which also first spotted the zero-days being used in attacks since December , multiple threat groups chain the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities in widespread attacks starting January 11.
"Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals," Volexity warned today.
The attackers backdo
Checkpoint
15th January – Threat Intelligence Report
blogs_checkpoint·2024-01-15
CVE-2023-46805 15th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th January, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The ransomware-as-a-service group Medusa has breached Water for People nonprofit organization, which aims to improve access to clean water in different countries including Guatemala, Honduras, Mozambique and India. The cybercriminals are asking for a $300K extortion fee to not leak the stolen data. The organization says i
Volexity
Ivanti Connect Secure VPN Exploitation Goes Global
blogs_volexity·2024-01-15·CVSS 8.2
[HIGH] Ivanti Connect Secure VPN Exploitation Goes Global
Threat Intelligence
## Ivanti Connect Secure VPN Exploitation Goes Global
January 15, 2024
Cem Gurkok, Paul Rascagneres, Sean Koessel, Steven Adair, and Tom Lancaster
Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation , then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan. Volexity has observed it successfully detecting the compromises described in this post across impacted organizations. Last week, Ivanti also released an updated version of the external Integrity Checker Tool that can be
Bleepingcomputer
Ivanti Connect Secure zero-days exploited to deploy custom malware
blogs_bleepingcomputer·2024-01-12·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti Connect Secure zero-days exploited to deploy custom malware
## Ivanti Connect Secure zero-days exploited to deploy custom malware
## Bill Toulas
Hackers have been exploiting the two zero-day vulnerabilities in Ivanti Connect Secure disclosed this week since early December to deploy multiple families of custom malware for espionage purposes.
Identified as CVE-2023-46805 and CVE-2024-21887, the security issues allow bypassing authentication and injecting arbitrary commands on vulnerable systems. Ivanti said that the attackers targeted a small number of its customers.
A report from Mandiant , who works with Ivanti investigating the incident, notes that the threat actor behind the attacks is engaged in espionage and is currently tracked internally as UNC5221.
Today, threat monitoring service Shadowserver has posted on X that its scanners detect 17
Qualys
Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887
blogs_qualys·2024-01-11·CVSS 8.2
[HIGH] Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887
## Table of Contents
The Impact of Dual Zero-Day Threats in Ivanti Connect and Policy Secure Gateways
Vulnerable Versions
How can Qualys assist organizations, and what actions should these organizations undertake?
Conclusion
Contributors
In recent and alarming cybersecurity developments, Volexity researchers have discovered that attackers are exploiting two distinct zero-day vulnerabilities in a coordinated manner to enable unauthenticated remote code execution (RCE). These vulnerabilities are identified as CVE-2023-46805 and CVE-2024-21887, posing a significant threat when combined. Moreover, their severity has been recognized by the Cybersecurity and Infrastructure Security Agency (CISA), leading to their inclusion in the agency’s Known Exploited Vulnerabilities (KEV) catalog. This
Qualys
Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887 | Qualys
blogs_qualys·2024-01-11·CVSS 8.2
CVE-2023-46805 [HIGH] Dual Zero-Day Threats in Ivanti Connect Secure and Policy Secure Gateways – CVE-2023-46805 and CVE-2024-21887 | Qualys
#### Table of Contents
- The Impact of Dual Zero-Day Threats in Ivanti Connect and Policy Secure Gateways
- Vulnerable Versions
- How can Qualys assist organizations, and what actions should these organizations undertake?
- Conclusion
- Contributors
In recent and alarming cybersecurity developments, Volexity researchers have discovered that attackers are exploiting two distinct zero-day vulnerabilities in a coordinated manner to enable unauthenticated remote code execution (RCE). These vulnerabilities are identified as CVE-2023-46805 and CVE-2024-21887, posing a significant threat when combined. Moreover, their severity has been recognized by the Cybersecurity and Infrastructure Security Agency (CISA), leading to their inclusion in the agency’s Known Exploited Vulnerabilities (KEV) catal
Bleepingcomputer
Ivanti warns of Connect Secure zero-days exploited in attacks
blogs_bleepingcomputer·2024-01-10·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti warns of Connect Secure zero-days exploited in attacks
## Ivanti warns of Connect Secure zero-days exploited in attacks
## Sergiu Gatlan
Ivanti has disclosed two Connect Secure (ICS) and Policy Secure (IPS) zero-days exploited by suspected Chinese hackers in the wild that can let remote attackers execute arbitrary commands on targeted gateways.
The first security flaw (CVE-2023-46805) is an authentication bypass in the appliances' web component, enabling attackers to access restricted resources by circumventing control checks, while the second (tracked as CVE-2024-21887) is a command injection vulnerability that lets authenticated admins execute arbitrary commands on vulnerable appliances by sending specially crafted requests.
When successfully chaining the two zero days, threat actors can run arbitrary commands on all supported versions o
Volexity
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
blogs_volexity·2024-01-10
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
Threat Intelligence
# Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
January 10, 2024
Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Tom Lancaster
Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.
During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one
Volexity
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
blogs_volexity·2024-01-10
Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
Threat Intelligence
## Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
January 10, 2024
Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Tom Lancaster
Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.
During the second week of December 2023, Volexity detected suspicious lateral movement on the network of on
Tenable
CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-10·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
CVE-2024-21887 Vulnerability: Analysis, Detection, Removal | Huntress
blogs_huntress·CVSS 8.2
CVE-2024-21887 [HIGH] CVE-2024-21887 Vulnerability: Analysis, Detection, Removal | Huntress
## CVE-2024-21887 Vulnerability
Published: 11/21/25
Written by: Nadine Rozell
CVEs are Common Vulnerabilities and Exposures—unique identifiers for publicly known cybersecurity vulnerabilities. CVE-2024-21887 is the other half of a devastating exploit chain targeting Ivanti Connect Secure VPNs. This command injection vulnerability is the haymaker that follows the jab of an authentication bypass, allowing attackers to take complete control of a critical network device.
This page explains how this nasty flaw works, its massive impact when chained with CVE-2023-46805, and the urgent actions you need to take. Let's lock this down.
## What is CVE-2024-21887 Vulnerability?
CVE-2024-21887 is a command injection vulnerability in the web components of Ivanti Connect Secure (ICS) and Ivanti Pol
Huntress
CVE-2024-22024 (Ivanti XXE) Vulnerability: Analysis & Detection | Huntress
blogs_huntress·CVSS 8.2
CVE-2024-22024 [HIGH] CVE-2024-22024 (Ivanti XXE) Vulnerability: Analysis & Detection | Huntress
CVE-2024-22024 Vulnerability
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
Published: 01/20/2026
Written by: Nadine Rozell
## What is CVE-2024-22024 vulnerability?
CVE-2024-22024 is an XXE (XML External Entity) flaw in the SAML (Security Assertion Markup Language) authentication component of Ivanti gateways.
The vulnerability exists because the application processes XML input from user-supplied requests without properly disabling external entity references. Attackers can exploit this by embedding a malicious XML reference (an "entity") in a SAML request. When the server processes this request, it automatically expands the entity, which can allow the attacker to read arbitrary files on the system or trick t
Huntress
CVE-2023-46805 Vulnerability | Huntress
blogs_huntress·CVSS 8.2
CVE-2023-46805 [HIGH] CVE-2023-46805 Vulnerability | Huntress
## CVE-2023-46805 Vulnerability
Published: 12/16/25
Written by: Nadine Rozell
## What is CVE-2023-46805 Vulnerability?
CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. In simple terms, it lets an attacker sidestep access controls and get into protected parts of the VPN gateway without needing to log in. This vulnerability is the key that unlocks the door for more severe attacks, especially when combined with a command injection flaw.
## When was it discovered?
The vulnerability was disclosed by Ivanti on January 10, 2024, after security researchers observed it being actively exploited in the wild. This wasn't a theoretical bug; attackers were already using it to hit target
Threat Intel
UNC5337
threat_intel·CVSS 8.2
CVE-2023-46805 [HIGH] UNC5337
# Threat Actor: UNC5337
## Description
UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221.
Crowdstrike
Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Unveiling WARP PANDA: A New Sophisticated China-Nexus Adversary
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Threat Intel
UNC5330
threat_intel·CVSS 9.1
CVE-2024-21893 [CRITICAL] UNC5330
# Threat Actor: UNC5330
## Description
UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence.
Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from t
Zscaler
VPN Risk Report Highlights Concerns About Unsafe VPNs
blogs_zscaler
VPN Risk Report Highlights Concerns About Unsafe VPNs
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Zscaler
Remove Ivanti Zero Day Vulnerabilities with Zscaler Private
blogs_zscaler
Remove Ivanti Zero Day Vulnerabilities with Zscaler Private
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Greynoiseio
Ivanti Connect Secure Exploited to Install Cryptominers
blogs_greynoiseio
Ivanti Connect Secure Exploited to Install Cryptominers
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Practical Vulnerability Archaeology Starring Ivanti's CVE-2021-44529
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Practical Vulnerability Archaeology Starring Ivanti's CVE-2021-44529
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Zscaler
CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report | CXO Revolutionaries
blogs_zscaler
CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report | CXO Revolutionaries
## CISO Monthly Roundup, May 2024: Operation Endgame, Anatsa malware, HijackLoader, and the Zscaler ThreatLabz 2024 VPN Risk Report
Deepen Desai
Contributor
Zscaler
## Jun 7, 2024
ThreatLabz research on Operation Endgame, Anatsa malware, and HijackLoader. The Zscaler ThreatLabz 2024 VPN Risk Report. Zenith Live 24.
The CISO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with CISO insights on cyber-related subjects. Over the past month ThreatLabz assisted with Operation Endgame, analyzed an Anatsa campaign, examined HijackLoader updates, and released a VPN risk report.
## Operation Endgame extinguishes Smoke
Smoke (a.k.a. SmokeLoader, Dofoil) is a malware that has been plaguing organizations since 2011. Threat actors typically use Smoke to delive
arXiv
A Comprehensive Evaluation and Practice of System Penetration Testing
arxiv_fulltext·2026-01-30
A Comprehensive Evaluation and Practice of System Penetration Testing
*
[1]Chunyi Zhang and Jin Zeng contributed equally to this work.
[2]Authors' Contact Information: Chunyi Zhang, Hainan University, Haikou, China; Jin Zeng, Hainan University, Haikou, China; Xiaoqi Li, [email protected], Hainan University, Haikou, China.
## Abstract
With the rapid advancement of information technology, the complexity of applications continues to increase, and the cybersecurity challenges we face are also escalating. This paper aims to investigate the methods and practices of system security penetration testing, exploring how to enhance system security through systematic penetration testing processes and technical approaches. It also examines existing penetration tools, analyzing their strengths, weaknesses, and applicable domains to guide penetration testers in tool select
http://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.htmlhttps://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_UShttp://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.htmlhttps://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_UShttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21887
2024-01-12
Published
2024-01-10
Added to CISA KEV
Exploited in the wild