A zero-day vulnerability disclosed by Ivanti last week is undergoing mass exploitation in the wild, according to the Shadowserver Foundation.
The non-profit said it had seen over 170 discrete IP addresses involved in attempted attacks designed to leverage CVE-2024-21893. Interestingly, it claimed these had begun before Rapid7 released a proof-of-concept exploit for the bug on February 2.
As reported by Infosecurity last week, CVE-2024-21893 is a server-side request forgery (SSRF) flaw in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA. It allows an attacker to access certain restricted resources without authentication and has a CVSS score of 8.2.
When disclosed on January 31, the vulnerability was said to have been exploited on only a “limited number of customer” devices.
Read more on Ivanti zero-days: Ivanti Zero-Days Exploited By Multiple Actors Globally
CVE-2024-21893 is being exploited by attackers to bypass an initial mitigation Ivanti released to deal with two zero-days it disclosed on January 10.
Chinese threat actor UTA0178 (aka UNC5221) had been exploiting CVE-2023-46805 and CVE-2024-21887 in a chain, in order to bypass multi-factor authentication and compromise the Ivanti Connect Secure VPN product and Policy Secure network access control (NAC) offering.
Ivanti has now begun releasing patches for all of these vulnerabilities, as well as a fourth (CVE-2024-21888), alongside a second mitigation which is said to help organizations build resilience against attacks chaining CVE-2024-21893 with CVE-2024-21887 in order to compromise Ivanti devices.
Rapid7 principal security researcher, Stephen Fewer, explained on X (formerly Twitter) that CVE-2024-21893 is actually not a new discovery.
“The SSRF, as we found it, is actually an n-day in the xmltooling library, patched out around June 2023 and assigned CVE-2023-36661. The SSRF can be chained to CVE-2024-21887 for unauthenticated command injection with root privileges,” he said.