A security researcher says he has identified a new critical vulnerability in Ivanti appliances that needs no authentication to remotely exploit.
The fresh CVSS 9.8 Ivanti vulnerability was reported via the Zero Day Initiative on May 1 by experienced zero day-hunter Sina Kheirkhah.
It does not yet have a CVE allocated nor a patch. Kheirkhah, aka @SinSinology declined to share further details with The Stack.
The vulnerability has a deadline for public disclosure of August 29.
We would not typically share such detail-thin notes at this stage.
We are doing so because:
- The researcher in question has a track record of credibility, with previous zero day finds and Pwn2Own wins under their belt.
- Ivanti appliances getting exploited at scale has already been bad news for many this year and teeing users up to patch or mitigate fast when more details land sounds judicious. Keep an eye out for an advisory.
Kheirkhah teased the find on X, writing: “Nothing to be scared about folks, just another CVSS 9.8 0day disclosed that's gonna get code execution in 0 seconds (3 seconds to be more accurate), no limitation, no authentication, no shit, just straight up remote code execution.”
With active exploitation of Ivanti vulnerabilities in 2023 and 2024 (e.g. 2023’s chained exploits of CVE-2023-35081 and CVE-2023-35078, and 2024’s abuse of CVE-2023-46805 and CVE-2024-21887, or CVE-2024-21893) hitting financial services firms, governments and even a sensitive network for defence collaboration at MITRE, finding a way to either rip out your Ivanti boxes or bake protections around them seems sensible.
The Stack has contacted Ivanti to confirm that it has received the bug report and is working on a patch.
The company’s CEO recently promised a sweeping product security overhaul including “rigorous threat modelling... embedding security into every stage of the software development lifecycle” after criticisms that his products were “made of string.”
A tear-down of Ivanti’s VPN appliances by infrastructure supply chain security specialist Eclypsium revealed that the “security” product shipped with a 13-year-old, unsupported base OS and software libraries with 973 vulnerabilities; 111 of which have publicly known exploits available.
That’s a big attack surface. Expect exploits to keep landing.
n.b. As Verizon's DBIR report emphasised this week: "Enterprise patch management cycles usually stabilize around 30 to 60 days as the viable target, with maybe a 15-day target for critical vulnerability patching. Sadly, this does not seem to keep pace with the growing speed of threat actor scanning and exploitation of vulnerabilities."
