Ivanti Struggles to Deliver Critical Patches for Exploited VPN Vulnerabilities

Cybersecurity company Ivanti is facing significant challenges in delivering promised patches for critical vulnerabilities in their Connect Secure VPN appliances. This delay has put organizations at risk that utilize these appliances for secure virtual private networks.

Ivanti acknowledges missed deadline

In a recent update to their advisory, Ivanti admitted to missing the deadline for delivering the necessary patches. The company cited concerns regarding the security and quality of each software patch release as the reason behind the delay. This setback impacts the targeted release of patches for supported versions, subsequently affecting all future patch releases.

Impact of patch delays

The delayed release of these critical patches has far-reaching consequences for organizations that rely on Ivanti’s VPN appliances. The absence of official fixes complicates the strict deadlines set by the US government’s cybersecurity agency, CISA, for Federal Civilian Executive Branch (FCEB) agencies to apply available fixes, detect infections, and share indicators of compromise.

Exploitation of vulnerabilities by a Chinese hacking team

The urgency to deliver these patches arises from the recent discovery made by Volexity. They uncovered a Chinese government-backed hacking team leveraging two zero-day vulnerabilities in Ivanti’s VPN appliances. These vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887, have already been exploited by attackers to gain unauthorized access to US organizations.

The consequences for US organizations and government agencies

The delay in receiving official patches severely hampers the ability of US government agencies to protect their systems and data. CISA had issued an emergency directive requiring federal agencies to start deploying available fixes by January 22. This deadline is rapidly approaching, and the absence of patches puts agencies at a higher risk of being compromised.

CISA Emergency Directive

The emergency directive from CISA emphasizes the need for agencies to implement Ivanti’s published mitigation immediately to prevent future exploitation. However, the inability to access official patches poses a challenge to effectively comply with this directive. Organizations are left with limited options to mitigate the vulnerabilities and safeguard their valuable assets.

Description of the vulnerabilities

CVE-2023-46805 and CVE-2024-21887, the vulnerabilities targeted by the Chinese hacking team, pose significant risks to organizations using Ivanti’s VPN appliances. Exploiting these vulnerabilities allowed attackers to bypass security measures and gain unauthorized access to sensitive information. The implications of such breaches are profound and can lead to data theft, financial loss, and reputational damage.

Evading detection

Volexity researchers discovered that the attackers went to great lengths to evade detection by Ivanti’s Integrity Checker Tool. They modified legitimate components within the system and made specific changes aimed at bypassing security measures. These sophisticated tactics allowed the hackers to stay hidden while exploiting the vulnerabilities.

Pre-Patch Mitigations and Instructions from Ivanti

Understanding the urgency for protection, Ivanti has released pre-patch mitigations and instructions to help organizations minimize attack surfaces. These measures aim to provide temporary relief until the official patches become available. It is crucial for organizations to follow these guidelines diligently to mitigate the risks associated with the exploited vulnerabilities.

The struggle faced by Ivanti in delivering critical patches for their Connect Secure VPN appliances highlights the persistent challenges that organizations face in maintaining robust cybersecurity. The urgency in addressing these vulnerabilities cannot be understated, especially given the active exploitation observed by the Chinese hacking team. Organizations and government agencies must prioritize implementing proper security measures and diligently follow the mitigation instructions provided by Ivanti until the official patches are released. Only through prompt action and collaboration can organizations effectively protect their systems and data from potential breaches and an ever-evolving threat landscape.

Explore more

Why Is Employee Career Development a Business Imperative?

Setting the Stage for a Critical Business Priority Imagine a workplace where top talent consistently leaves for better opportunities, costing millions in turnover while productivity stagnates due to outdated skills. This scenario is not a distant possibility but a reality for many organizations that overlook employee career development. In an era of rapid technological change and fierce competition for skilled

Creating Safe Spaces for Workplace Questions and Curiosity

What happens when a brilliant idea dies in a meeting room because someone feared asking a simple question? In numerous workplaces today, the relentless drive for efficiency often drowns out curiosity, leaving valuable insights unspoken and costing organizations more than just time by stifling innovation and eroding trust among teams. Picture a scenario where an employee hesitates to clarify a

Which Companies Are Hiring for Hybrid-Remote Jobs in 2025?

I’m thrilled to sit down with Ling-Yi Tsai, a seasoned HRTech expert with decades of experience in transforming organizations through innovative technology. Ling-Yi specializes in HR analytics tools and the seamless integration of tech solutions in recruitment, onboarding, and talent management. Today, we’re diving into the evolving landscape of hybrid-remote work models, exploring their benefits and challenges, the industries leading

How Are Large Enterprises Scaling Data Engineering Challenges?

I’m thrilled to sit down with Dominic Jainy, a seasoned IT professional whose expertise in artificial intelligence, machine learning, and blockchain has positioned him as a thought leader in navigating the complexities of modern data landscapes. With a passion for applying cutting-edge technologies across industries, Dominic brings a wealth of insights into how large enterprises can scale their data engineering

What Is Robotic Process Automation and Its Business Impact?

Diving into the world of Robotic Process Automation (RPA), we’re thrilled to sit down with Dominic Jainy, an IT professional whose deep expertise in artificial intelligence, machine learning, and blockchain offers a unique perspective on how emerging technologies are reshaping industries. With a passion for exploring innovative applications, Dominic has been at the forefront of integrating cutting-edge solutions into business