Researchers observed attackers attempting to manipulate Ivanti’s internal integrity checker, and the cause for the patch delay remains unclear.
Ivanti Connect Secure and Ivanti Policy Secure users have been holding out for the initial patch for weeks amid widespread exploitation of the vulnerabilities. When chained together, the vulnerabilities, listed as CVE-2023-46805 and CVE-2024-21887, allow unauthenticated attackers to achieve remote code execution.
Ivanti said an initial patch would be ready the week of Jan. 22, with a final patch scheduled for Feb. 19.
As of last week, more than 26,000 Connect Secure hosts were exposed to the public internet, according to a blog post from Censys. More than 410 hosts were compromised using a backdoor to steal credentials, Censys reported.
Ivanti warned administrators not to push configuration to appliances with the XML in place until the appliance was patched. Key web services stopped functioning when the configuration was pushed, and the mitigation efforts no longer worked properly.
CISA previously said about 15 federal agencies were using Ivanti Connect Secure and Ivanti Policy Secure.
