The U.S. CISA has added an Ivanti Connect Secure and Policy Secure flaws and Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog.
Ivanti has reported that threat actors are exploiting two zero-day vulnerabilities (CVE-2023-46805 (CVSS 8.2), CVE-2024-21887(CVSS 9.1)) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways.
The flaw CVE-2023-46805 is an authentication bypass issue that resides in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure. A remote attacker can trigger the vulnerability to access restricted resources by bypassing control checks.
The second flaw, tracked as CVE-2024-21887, is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure. An authenticated administrator can exploit the issue by sending specially crafted requests and executing arbitrary commands on the appliance.
These two flaws can be chained to send specially crafted requests to unpatched systems and execute arbitrary commands. Currently, patches are not available, and mitigation is available. The final patches will be available within 19 February.
Rsearchers have observed that threat actors actively exploiting the two zero-days in the wild.
The third and final issue added to the CISA KEV Catalog is the Microsoft SharePoint Server Privilege Escalation issue CVE-2023-29357. An unauthenticated attacker who has gained access to spoofed JWT authentication tokens can exploit the flaw to use them for executing a network attack. This attack bypasses authentication, enabling the attacker to gain administrator privileges.
CISA orders federal agencies to fix this vulnerability by January 31, 2024.
