The US Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 24-01 [1] [2] [3] [4] [5] [6] [7] [8] [10], requiring all civilian federal agencies to immediately implement vendor-published mitigation guidance for Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions [6]. This directive aims to address vulnerabilities in these solutions that have been actively exploited by multiple threat actors.


The vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure [1] [2] [4] [5] [7] [8] [9] [10], known as an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) [2] [7], allow for unauthorized access [2], data exfiltration [2] [3] [5] [10], and the establishment of persistent system access [1]. These vulnerabilities have been actively exploited since January 11, resulting in over 1700 compromised devices. To mitigate these risks [9], Ivanti is releasing patches and a temporary mitigation in the form of an XML file, which impacted organizations are urged to implement immediately [9]. CISA recommends using Ivanti’s External Integrity Checker Tool to detect any indications of compromise [2] [9] [10]. If compromise is detected [2], agencies should report it to CISA and take further steps to remove and restore the affected products [2]. Additionally, agencies are required to provide a complete inventory of all instances of Ivanti Connect Secure and Ivanti Policy Secure products within one week [2]. CISA will provide a report on the status and outstanding issues by June 1, 2024 [2].


The directive was issued in response to widespread attacks against the Ivanti Connect Secure VPN system, with thousands of devices compromised [3]. Private-sector organizations are also urged to take the threat seriously [3]. Ivanti is expected to release an update soon to address the vulnerabilities [7]. Cybersecurity firms Volexity and Mandiant have observed attacks using these vulnerabilities to deploy web shells and passive backdoors for persistent access [7]. It is estimated that around 2,100 devices worldwide have been compromised so far [7]. The immediate implementation of the vendor-published mitigation guidance and the cooperation of all agencies are crucial in mitigating the risks and preventing further compromises.