[ Connect Secure (VPN) is Ivanti’s rebranding of Pulse Secure (VPN). ]
TLP: CLEAR
Greetings state, local, tribal, and territorial government partners,
Ivanti has released a security update to address an authentication bypass vulnerability (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) in all supported versions (9.x and 22.x) of Connect Secure and Policy Secure gateways. A cyber threat actor could exploit these vulnerabilities to take control of an affected system.
Ivanti reports active exploitation of both CVE-2023-46805 and CVE-2024-21887.
CISA urges users and administrators to immediately review [Ivanti’s security update] and apply the current workaround. CISA will update this alert as Ivanti releases patches.
Multi-State Information Sharing and Analysis Center (MS-ISAC)
Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
24×7 Security Operations Center
SOC@cisecurity.org – 1-866-787-4722
TLP: CLEAR
Information may be distributed without restriction, subject to standard copyright rules.
Please send all opt out requests to info@cisecurity.org.
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .