CISA issues warning about another Ivanti flaw under active attack



Hackers are exploiting yet another vulnerability in one of Ivanti’s widely used enterprise products, the U.S. government’s cybersecurity agency CISA warned in a fresh alert this week.

The remote code execution flaw in Ivanti Endpoint Manager (EPM), a tool that helps organizations manage and secure their fleets of employee devices, was first disclosed by Trend Micro’s Zero Day Initiative in April and patched by Ivanti the following month. 

The bug allows an unauthenticated attacker to remotely run malicious code on an affected Ivanti customer’s server.

Now, CISA says hackers are actively exploiting this vulnerability — tracked as CVE-2024-29824 — to hack into unpatched systems, according to its advisory on Wednesday, citing evidence of active exploitation. CISA’s advisory requires that all federal civilian agencies update vulnerable systems by October 23 to defend against exploitation.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.

Ivanti, the U.S.-based IT software company with over 40,000 corporate customers — including much of the Fortune 100, confirmed in an update to its May security advisory this week that the vulnerability was actively used to target a “limited number” of Ivanti customers.

Ivanti hasn’t said how many of its customers were compromised, and an Ivanti spokesperson did not provide comment when contacted by TechCrunch. The company has yet to say if it was aware of any customer data exfiltration due to the compromises. 

Ivanti is no stranger to hackers abusing vulnerabilities in its software. Earlier this year, the company confirmed that hackers were mass-exploiting vulnerabilities in Connect Secure, its remote access VPN solution used by thousands of corporations and large organizations worldwide.

This disclosure came just weeks after Ivanti confirmed the exploitation of two earlier zero-day flaws in Connect Secure. Security researchers linked the attacks to China-backed hackers who had been using the vulnerabilities to break into customer networks and steal information.




Source