CISA Issues Emergency Directive to Address Vulnerabilities in Remote Work Software

Two popular software programs used to enable employees to connect remotely to work have a dangerous vulnerability that could potentially grant malicious attackers access to the businesses or government agencies that use the program. Attackers can also use the vulnerability to create additional backdoors so they can return later.

Around 15 U.S. federal agencies use the affected programs, Ivanti Connect Secure and Ivanti Policy Secure, which triggered the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive on 19 January mandating that all federal agencies immediately take measures to protect themselves against the vulnerability.

“This emergency directive directs all federal civilian agencies to immediately take specific actions and implement vendor mitigation guidance to these Ivanti appliances,” according to a CISA press release. “While only binding on Federal Civilian Executive Branch agencies, CISA urges all organizations using these products to urgently implement the mitigations outlined in this directive.”

Ivanti released information about two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, that allow attackers to move laterally across the target network, exfiltrate data, and establish persistent system access, “resulting in full compromise of target information systems,” the directive said. When exploited in tandem, the vulnerabilities enable a malicious threat actor to execute commands on a vulnerable product.

The vulnerabilities have been widely exploited so far, with at least 1,700 known organizations already hacked across nearly all verticals, according to cybersecurity company Volexity.

Ivanti has released a temporary mitigation through an XML file; it can be imported into affected products to change vulnerable configurations until a permanent update is available, the directive explained.

The directive requires U.S. government agencies to implement this mitigation immediately (no later than 11:39 p.m. EST on 22 January) to prevent future exploitation. Agencies are also required to run Ivanti’s External Integrity Checker Tool and take additional steps if signs of compromise are detected.

Once Ivanti releases further updates to address the vulnerabilities, agencies will have 48 hours to apply them. Agencies will need to report to CISA a full inventory of all instances of Ivanti Connect Secure and Policy Secure products on agency networks—including details on actions taken and results—within a week.

“The vulnerabilities in these products pose significant, unacceptable risks to the security of the federal civilian enterprise. As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, we must take urgent action to reduce risks to the federal systems upon which Americans depend,” said CISA Director Jen Easterly in the press release. “Even as federal agencies take urgent action in response to this directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this directive.”