We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

China-Backed Hackers Exploit Ivanti VPN Zero-Day Flaws

China-Backed Hackers Exploit Ivanti VPN Zero-Day Flaws
Author Image Keira Waddell
Keira Waddell Published on 16th January 2024 Senior Writer

In a series of coordinated cyberattacks, state-backed hackers have been exploiting critical zero-day vulnerabilities in Ivanti Connect Secure, a widely used VPN appliance. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have put numerous organizations at risk.

CVE-2023-46805, an authentication bypass flaw, and CVE-2024-21887, a command injection vulnerability, have been exploited to achieve unauthenticated remote code execution on vulnerable systems. This exploitation enables attackers to steal configuration data, modify existing files, download remote files, and create reverse tunnels from the Ivanti VPN appliance.

Cybersecurity firms Mandiant and Volexity have played significant roles in uncovering these security breaches. Volexity detected suspicious activity on a customer’s network in December 2023, attributing the attack to a hacking group under the alias UTA0178, who are believed to be backed by China. Ivanti has confirmed these reports, stating that the vulnerabilities have been actively exploited in the wild.

A renowned security researcher, Kevin Beaumont, has dubbed the vulnerabilities "ConnectAround." Although reports indicate less than 10 customers have been directly affected so far, he reported that approximately 15,000 Ivanti appliances globally are exposed to the internet, suggesting a potentially larger scale of impact than initially thought.

Ivanti has responded to these threats by announcing a staggered release of patches, starting from the week of January 22 and continuing through mid-February. In the meantime, the company has provided an XML mitigation file that can offer immediate protection against potential threats. However, Ivanti declined to comment on why the patches aren’t immediately available, and did not specify whether any data exfiltration has occurred as a result of the attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging federal agencies to apply these fixes by January 31, 2024. CISA has also added the vulnerabilities to its Known Exploited Vulnerabilities catalog.

Organizations using Ivanti's VPN product are advised to prioritize the implementation of Ivanti's mitigation file. It is crucial to note, as pointed out by Volexity, that these mitigations do not address past compromises. Therefore, a thorough analysis of possibly affected networks for any signs of compromise is essential.

The situation is evolving, and further developments are expected as more information becomes available and as Ivanti releases its patches.

About the Author

Keira is an experienced cybersecurity and tech writer dedicated to providing comprehensive insights on VPNs, online privacy, and internet censorship.