On Wednesday, January 10, Ivanti released an advisory on their Pulse Secure Client and Gateway products. Ivanti claims that according to security researchers at Volexity, malicious actors could use two 0-day vulnerabilities to create a remote code execution and take over machines remotely. Chinese actors are already exploiting Pulse Secure to gain access to victim networks.
Ivanti Connect Secure is a VPN application that has existed since its inception as a Juniper Networks solution in 2014. Juniper sold the Pulse product to Siris Capital in 2015 when it was renamed “Pulse Secure.” Ivanti, known for its LANDesk RMM solution, bought Pulse in 2020 and remade it to “Ivanti Pulse Secure.”
Some digging into MITRE’s CVE database, Pulse’s first reported vulnerability was in 2013; a test certificate in the Trusted list could help an attacker gain access. Since then, CVE has reported another 108 vulnerabilities.
Foreign actors are using the two vulnerabilities in the advisory to breach target networks. CVE-2023-46805 bypasses authentication via the web console. CVE-2024-21887 allows the remote attacker to execute commands on the appliance. From there, an attacker can locally modify files on Pulse Secure to allow more command execution and keylog credentials.
According to Mandiant, the threat actor known as “UNC5221” or “UTA0178” is suspected of utilizing these exploits as early as December 2023. In 2021, UNC2630 and UNC2717 targeted US Defense Agencies and associated contractors using exploits on Pulse Secure products.
If your organization is currently using Pulse Secure, please ensure you have reviewed Ivanti’s mitigation strategies, available at KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways.
Cerium’s new Managed SOC services have the capabilities to detect and defend against attempted breaches. Our XDR solution is vendor-agnostic and was rated “Visionary” by Gartner in 2023. We also offer secure remote access solutions through Cisco and Meraki. If you’re currently a Pulse Secure user and want to discuss migrating to Cerium’s VPN solution, please contact us.