Roughly 16,500 Ivanti Join Safe and Poly Safe gateways uncovered on the web are doubtless susceptible to a distant code execution (RCE) flaw the seller addressed earlier this week.
The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow within the IPSec element of Ivanti Join Safe 9.x and 22.x, doubtlessly permitting unauthenticated customers to trigger denial of service (DoS) or obtain RCE by sending specifically crafted requests.
Upon disclosure, on April 3, 2024, the web search engine Shodan confirmed 29,000 internet-exposed cases, whereas menace monitoring service Shadowserver reported seeing roughly 18,000.
On the time, Ivanti acknowledged that it had seen no indicators of energetic exploitation in any of its prospects however urged system directors to use the updates as quickly as doable.
Two days later, Shadowserver added CVE-2024-21894 into its scanning capabilities, reporting that about 16,500 cases are susceptible to the RCE flaw.
Most of these cases (4,700) are in the US, with Japan (2,000), the UK (1,000), Germany (900), France (900), China (500), the Netherlands (500), Spain (500), Canada (330), India (330), and Sweden (320) following with vital degree of publicity too.
Excessive-risk vulnerabilities in Ivanti merchandise usually act as a degree of breach for organizations worldwide.
Earlier this yr, it was revealed that state-sponsored menace actors leveraged a number of flaws in Ivanti merchandise, specifically CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893, whereas they have been zero-days, which means the seller did not know concerning the flaws and no fixes have been obtainable.
This exercise was adopted by a number of hacking teams exploiting widespread exploitation to deploy customized net shells to backdoor units.
A report printed right now by Mandiant dives deeper into high-profile current bug exploitation instances focusing on Ivanti endpoints, specializing in Chinese language hackers from 5 distinct exercise clusters and a malware household named ‘SPAWN’ utilized in these assaults.
System directors who haven’t utilized the obtainable mitigations and fixes for CVE-2024-21894 are suggested to comply with the seller’s directions on this data base article.
