The European Commission, ENISA, the EU Agency for Cybersecurity, CERT-EU, Europol and the network of the EU national computer security incident response teams (CSIRTs network), have been closely following the active exploitation of vulnerabilities in the Ivanti Connect Secure and Ivanti Policy Secure Gateway products, commercial virtual private network (VPN) solutions previously known as Pulse Connect Secure.
Following the initial disclosure of two vulnerabilities at the beginning of January, two additional vulnerabilities were disclosed on 31 January 2024, which impact all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateway products and make it possible for attackers to run commands on the system. Broader exploitation of the initially disclosed vulnerabilities had been observed already as early as mid-January.
As this is a developing situation, we strongly recommend all organisations to regularly check the guidance provided by the CSIRTs Network members and CERT-EU for the latest assessment and advice. For detailed instructions on how to complete the advised factory reset, organisations may also follow the detailed vendor instructions.
It is crucial for organisations to respond appropriately to the latest developments in order to resume their critical business activities.
The latest advisories published by CSIRTs Network members can be found in their relevant official communication channels. Organisations may also refer to guidance given by CERT-EU. ENISA maintains an advisory collection under: https://github.com/enisaeu/CNW/blob/main/advisories/2024/Multiple-Vulns-Ivanti-Secure-Gateways.md
ENISA and all relevant EU actors will continue to monitor this threat to contribute to the overall situational awareness at the Union level.
Organisations should be further aware that the EU Cyber Resilience Act (CRA), once in force, will require manufacturers of hardware and software products, including VPN solutions, to follow security-by-design principles throughout the lifecycle of such products. This includes the remediation of vulnerabilities without delay. Given their criticality, VPN solutions will be subject to strict conformity assessment requirements.
Resources for mitigate actions
Ivanti recovery instructions: https://forums.ivanti.com/s/article/Recovery-Steps-Related-to-CVE-2023-46805-and-CVE-2024-21887?language=en_US
For technical background information about the vulnerability and recommendations: Security Advisory 2024-004 - CERT-EU
For guidance on response please refer to the relevant national authority: CSIRTs by Country - Interactive Map
Latest advisories published by CSIRTs network members: https://github.com/enisaeu/CNW/blob/main/advisories.md