CISA Warns of Mitsubishi CNC DLL Hijacking (CVE-2016-2542)

CISA said it just issued an emergency directive on the active exploitation of vulnerabilities affecting gateways in the products Ivanti Connect Secure and Ivanti Policy Secure.

The agency noted that these are critical vulnerabilities presently being used by threat actors to gain network access, exfiltrate sensitive information, and deploy malware.

This is to apprise regarding two vulnerabilities being actively exploited in the wild: CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection).

These are currently affecting appliances from Ivanti—heavily trusted by organizations for secure remote access.

Attackers can chain the bugs, thus allowing them privileges to bypass authentication mechanisms and run arbitrary commands with complete control over the systems involved.

Federal organizations, private businesses, and all critical infrastructure providers using the unpatched versions of Ivanti Connect Secure (formerly known as Pulse Secure) or Ivanti Policy Secure gateways are immediately vulnerable.

The CISA has required every federal agency to implement mitigations on compromised devices by disconnecting them no later than February 5, 2024.

Exploitation has been going on since at least early January 2024 globally.

This happened after reports from private cybersecurity companies such as Volexity and Mandiant that observed state-backed hackers exploited these bugs to gain access to organizations in the defense, government, and financial sectors.

Through this vulnerability, threat actors would be able to bypass security controls to dump credentials and remain persistently inside a network.

If not patched or mitigated, these flaws could lead to massive breaches involving ransomware attacks and espionage activities, CISA warned.

CISA urges all organizations to: 1. Apply Ivanti’s patches (released January 31, 2024) without delay.

2. Isolate affected systems if compromise is even lightly suspected.

3. Monitor for IOCs listed in CISA’s advisory that will be published here immediately upon release.

The FBI has been notified and is assisting as well with the tracking of this threat.

Ivanti has acknowledged the issue and has stated that mitigations are available for customers who cannot patch immediately.

This should serve as a warning for everyone.

There is an increasing risk of VPN appliance exploits in the wild based on recent similar attacks against Citrix and Fortinet devices, so you should keep patches prioritized and networks monitored to mitigate exposure.