If you're running Ivanti Connect Secure (formerly Pulse Secure), this has been a rough year. Multiple critical zero-day vulnerabilities have been discovered and actively exploited, leading to widespread compromises across government and corporate networks.
The 2024 Vulnerability Wave
Starting in January 2024, Ivanti disclosed two actively exploited zero-days:
CVE-2024-21887 (CVSS 9.1): Command injection vulnerability allowing unauthenticated remote code execution CVE-2023-46805 (CVSS 8.2): Authentication bypass in the web component
These weren't theoretical vulnerabilities. Nation-state actors were already exploiting them when Ivanti went public.
Then more dropped:
- CVE-2024-21888: Privilege escalation
- CVE-2024-21893: Server-side request forgery
- CVE-2024-22024: XXE vulnerability
Each one critical. Each one requiring emergency patching.
Why VPNs Are Prime Targets
Enterprise VPN appliances sit at a uniquely vulnerable position:
- Internet-Facing: By design, they're accessible from anywhere
- High-Value: They're the gateway to internal networks
- Trusted: Once inside, you often have significant access
- Complex: VPN software is complicated, increasing vulnerability surface
When attackers compromise a VPN appliance, they get:
- Credentials for users accessing the VPN
- A foothold inside the network perimeter
- The ability to intercept traffic
- Persistence that's hard to detect
What Made Ivanti Worse
Several factors made the Ivanti situation particularly bad:
Delayed Patches: For some vulnerabilities, patches took weeks. During that time, organizations had limited options except disconnecting their VPN (not exactly practical).
Patch Integrity: Early patches had issues. Some didn't fully remediate the vulnerabilities. Others broke functionality. This meant multiple patching cycles.
Detection Challenges: Attackers installed webshells and backdoors that survived patching. Organizations had to do forensics to ensure systems were clean.
Widespread Deployment: Ivanti Connect Secure is used by thousands of organizations, including many government agencies. The blast radius was enormous.
Attacker TTPs
Based on incident response reports, here's what attackers did:
Initial Access: Exploit one of the authentication bypass or RCE vulnerabilities
Persistence:
- Deploy custom webshells
- Modify legitimate files to include backdoors
- Create rogue admin accounts
- Install certificates for future access
Credential Theft:
- Harvest VPN credentials from memory
- Steal session cookies
- Access credential databases
Lateral Movement:
- Use VPN as pivot point
- Enumerate internal networks
- Compromise additional systems
Exfiltration:
- Steal sensitive data
- Map out network architecture
- Identify high-value targets
Response Challenges
Organizations struggled with several issues:
Business Impact: Can't just turn off your VPN. Remote workers need access.
Forensics: Determining if you were compromised required deep analysis of appliances, often requiring specialized tools and expertise.
Clean vs Replace: Was patching enough, or did you need to rebuild appliances from scratch?
User Impact: Resetting passwords, revoking certificates, and re-enrolling devices all disrupt users.
What You Should Do
If you're running Ivanti Connect Secure:
Immediate Actions:
- Apply all available patches NOW
- Follow Ivanti's Integrity Checker Tool guidance
- Review logs for indicators of compromise
- Reset credentials for privileged accounts
- Revoke and reissue certificates if compromise is suspected
Medium-Term:
- Implement defense-in-depth around VPN access
- Deploy additional authentication layers
- Segment networks so VPN access doesn't equal full internal access
- Enhance monitoring for VPN appliance activity
- Test your incident response for VPN compromise scenarios
Long-Term:
- Evaluate alternative VPN solutions
- Consider zero-trust architectures that don't rely on perimeter VPNs
- Implement continuous verification rather than trust-after-authentication
- Regular security assessments of VPN infrastructure
The Zero-Trust Argument
This situation has revitalized discussions about zero-trust security. Traditional VPN architectures assume that once you're authenticated, you're trusted. Zero-trust says:
- Never trust, always verify
- Assume breach
- Verify explicitly for every access request
- Least privilege access
- Microsegmentation
Modern alternatives include:
- Zero-trust network access (ZTNA) solutions
- Identity-aware proxies
- Software-defined perimeters
- Per-app VPNs rather than network-level access
Lessons for Vendors
The Ivanti situation highlights vendor responsibilities:
Secure Development: VPN appliances need to be built with security as the top priority, not an afterthought.
Rapid Response: When vulnerabilities are actively exploited, patches need to be available in days, not weeks.
Transparency: Clear, timely communication about vulnerabilities, exploitation, and remediation steps.
Detection Tools: Provide customers with tools to detect compromise, not just patches to prevent it.
Patch Quality: Rushed patches that don't work or break things make the situation worse.
Looking Forward
Enterprise VPN security is at a crossroads. The traditional model of "authenticate once, trust forever" isn't working. As attackers get more sophisticated and zero-days become more common, organizations need to rethink remote access.
The Ivanti vulnerabilities are a wake-up call, not just for Ivanti users, but for anyone relying on perimeter-based security models.
It's time to evolve.