Lmst

🚨 April 2025 Vulnerability Report is out! 🚨

👉 https://www.vulnerability-lookup.org/2025/05/01/vulnerability-report-april-2025/

The most prominent vulnerabilities affect the following products:

- #Ivanti / #ConnectSecure
- #Erlang / OTP
- #SAP / SAP NetWeaver

The Continuous Exploitation section highlights several resurgent vulnerabilities (recently exploited at a high rate).

💻 NISDUC Conference

#VulnerabilityLookup will be presented during the fourth #NISDUC conference.

👉 https://www.nisduc.eu

#CyberSecurity #Vulnerability #opensource

#Ivanti patches #ConnectSecure zero-day exploited since mid-March

https://www.bleepingcomputer.com/news/security/ivanti-patches-connect-secure-zero-day-exploited-since-mid-march/

#cybersecurity

PoC Exploit Released for Ivanti Connect Secure RCE Vulnerability
https://gbhackers.com/poc-ivanti-connect-secure-rce-vulnerability/

#Infosec #Security #Cybersecurity #CeptBiro #PoCExploit #Ivanti #ConnectSecure #RCE #Vulnerability

La #vulnerabilidad CVE-2025-0282 de #Ivanti está siendo explotada activamente, afectando a #ConnectSecure y #PolicySecure
https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/la-vulnerabilidad-cve-2025-0282-de-ivanti-esta-siendo-explotada-activamente-afectando-a-connect-secure-y-policy-secure/

MITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. 🔗 https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics

cc: @campuscodi @briankrebs

#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage

I buried the lede in not mentioning that UNC5291 is assessed with medium confidence to be associated with Volt Typhoon, a Chinese state-sponsored Advanced Persistent Threat (APT). See related The Record reporting: Volt Typhoon and 4 other groups targeting US energy and defense sectors through Ivanti bugs

#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291

Mandiant releases part 4 of the Ivanti Connect Secure incident response investigation. They detail different types of post-exploitation activity across their IR engagements. Chinese threat actors have a growing knowledge of Ivanti Connect Secure in abusing appliance-specific functionality to perform actions on objective. They highlight FIVE Chinese threat actors: UNC5221, UNC5266, UNC5330, UNC5337, and UNC5291 abusing a mix of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. New TTPs, new malware families and new IOC: 🔗 https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

EDIT: For your situational awareness, it's my understanding that future Mandiant articles will be located at https://cloud.google.com/blog/topics/threat-intelligence/

#Ivanti #ConnectSecure #vulnerability #cyberespionage #China #activeexploitation #eitw #zeroday #KEV #CISA #CVE_2023_46805 #CVE_2024_21887 #CVE_2024_21893 #UNC5221 #UNC5266 #UNC5330 #UNC5337 #UNC5291

Here goes #Ivanti #connectsecure again

4 new CVEs, 2 high severity for Ivanti Connect Secure and Ivanti Policy Secure Gateways:

CVE-2024-21894 and CVE-2024-22053 are heap overflows, in certain conditions allow remote code execution
(CVE-2024-21894) or reading of contents in memory (CVE-2024-22053)

https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

I want to get off Mr. Ivanti's wild ride: security advisory for Ivanti Connect Secure and Ivanti Policy Secure: 🔗 https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways and blog post: https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure

CVE-2024-21894 (8.2 high) heap overflow leads to Denial of Service (DoS), and sometimes arbitrary code execution
CVE-2024-22052 (7.5 high) null pointer dereference causes DoS
CVE-2024-22053 (8.2 high) heap overflow leads to DoS or information disclosure
CVE-2024-22023 (5.3 medium) XML entity expansion (XEE) causes a limited-time DoS

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

#Ivanti #ConnectSecure #PolicySecure #vulnerability #CVE_2024_21894 #CVE_2024_22052 #CVE_2024_22053 #CVE_2024_22023

Soooo ... that integrity checker tool that Ivanti wants customers to use to detect compromise? It doesn't scan more than a dozen directories including /data, /etc, /tmp, and /var. As a test of what was possible, @n0x08 installed the Sliver C2 tool in /data and ran the integrity checker tool and it passed. Patched Ivanti VPNs could very well still be compromised even if the integrity checker tool gave them an all-clear.

We also found numerous extremely old software packages, including a Linux kernel that was EOL in 2020 (CentOS 6.4). Yikes!

https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/

#ivanti #connectsecure #connectaround