DESCRIPTION LAST UPDATED: 2024-02-06
DEFAULT SEVERITY LEVEL: CRITICAL
This one-time Special Report contains information about currently known vulnerable Ivanti Connect Secure appliances – specifically those vulnerable to a new exploit chain as described in this Rapid7 CVE-2024-21893 analysis.
This is a developing incident – we see CVE-2024-21893 being used to bypass previous Ivanti mitigations (if any were installed) and execute CVE-2024-21887 RCE in the wild. You can also read up write-ups on the current situation from BleepingComputer, Ars Technica and The Register amongst others.
Information contained in the report is obtained by scanning for exposed and vulnerable instances and was provided to us by an anonymous source.
If you receive an alert from us on a vulnerable instance detected in your network or constituency please also assume compromise of your instance and possibly your network.
A patch with guidance is available from Ivanti.
Please also review US CISA compromised and threat hunting guidance on the incident.
Please note we are also scanning for vulnerable Ivanti instances (earlier vulnerabilities) in our CRITICAL: Vulnerable HTTP Report and compromised instances in our CRITICAL: Compromised Website Report. Track current exploitation trends on our Dashboard.
This report has severity level CRITICAL set on all events. Severity levels are described here.
About Special Reports
Shadowserver Special Reports are unlike all of our other standard free daily network reports.
Instead, we send out Special Reports in situations where we share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets.
Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different.
Filename: 2024-02-06-special